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ABSTRACT 


As  the  number  of  computers  and  computer  systems  in  existence  has  grown  over 
the  past  few  decades,  we  have  come  to  depend  on  them  to  maintain  the  security  of  private 
or  sensitive  information.  The  execution  of  a  program  may  cause  leaks  of  private  or 
sensitive  information  from  the  computer.  Static  secure  flow  analysis  is  an  attempt  to 
detect  these  leaks  prior  to  program  execution. 

It  is  possible  to  analyze  programs  by  hand,  but  this  is  often  impractical  for  large 
programs.  A  better  approach  is  to  automate  the  analysis;  which  is  what  this  thesis 
explores. 

We  describe  some  previous  research  and  give  background  information  about 
secure  flow  analysis.  A  secure  flow  analyzer  is  presented.  It  implements  a  secure  flow 
type  mference  algorithm,  for  a  subset  of  Java  1.0.2,  using  a  parser  generator  called  Java 
Conqjiler  Compiler  (JavaCC).  Semantic  actions  are  inserted  into  a  grammar  specification 
to  perform  the  secure  flow  analysis  on  a  given  program. 
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I.  INTRODUCTION 


The  number  of  computers  and  computer  networks  has  exploded  over  the  past  few 
decades,  and  computer  security  is  a  major  concern.  In  a  multi-level  system  where 
information  exists  with  different  security  classifications,  such  as  a  military  computer 
system,  we  want  to  protect  information  with  a  high  security  classification.  It  is  desirable 
to  have  an  automated  tool  to  detect  whether  information  we  wish  to  keep  secret  in 
applications  remains  secret  and  is  not  leaked.  This  thesis  introduces  a  program  that  will 
statically  analyze  a  subset  of  Java  programs  to  ensure  that  private  information  is  not 
leaked. 

A.  SECURE  INFORMATION  FLOW 

Verifying  secine  information  flow  within  computer  systems  is  necessary  in  order 
to  protect  sensitive  information,  especially  in  a  military  system  Denning  and  Denning 
state  that  information  flow  occurs  from  a  storage  object  x  to  another  storage  object  y 
when  information  stored  in  x  is  transferred  to  y,  or  used  to  derive  information  transferred 
to  y.  A  flow  may  be  either  explicit  or  implicit  [1]. 

Explicit  information  flow  occurs  when  information  is  directly  copied  or 
transferred  from  one  storage  object  to  another.  Consider  the  code  segment  "y  :=  x".  The 
information  contained  in  x  is  directly  copied  into  y,  so  information  flows  from  x  to  y. 

The  flow  from  x  to  y  is  independent  of  the  value  stored  in  x. 

Implicit  flow  occurs  when  information  is  indirectly  copied  or  transferred  from  one 
storage  object  to  another.  If  the  variable  x  contains  either  0  or  1,  then  the  following  code 
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segment  will  copy  the  value  of  x  into  y  using  an  implicit  flow: 

y  :=  0;  if  (x  =  1)  then  y  :=  1 

In  this  case,  there  is  no  direct  flow  from  x  to  y.  However,  the  value  of  x  determines 
whether  the  then  statement  will  be  executed.  The  flow  in  both  of  these  examples  is 
allowed  only  if  the  security  classification  of  y  is  at  least  that  of  x.  For  instance,  if  x  were 
classified  high  then  y  must  also  be  classified  high  in  order  for  the  code  to  be  secure  [1]. 

B.  A  TYPE-BASED  TREATMENT  OF  SECURE  INFORMATION  FLOW 
Goguen  and  Meseguer  introduced  a  notion  of  security  for  deterministic  computer 

systems  called  noninterference  [2].  The  basic  idea  is  that  a  system  has  users  who  may 
supply  information  with  various  security  classifications  to  the  system.  A  system  satisfies 
the  noninterference  property  if  its  low-level  outputs  remain  the  same  when  its  high-level 
inputs  are  changed. 

Volpano  and  Smith  [3]  have  applied  this  idea  to  programming  languages.  When 
applied  to  languages,  the  idea  is  that  low-level  program  outputs  are  unaffected  by 
changes  in  high-level  program  inputs. 

C.  A  TYPE  INFERENCE  ALGORITHM 

Volpano  and  Smith  go  on  to  describe  an  algorithm  that  is  defined  by  cases  on  the 
phrases  of  a  simple  imperative  language.  The  evaluation  of  an  expression  returns  a 
principal  type  and  a  set  of  typing  constraints.  A  typing  constraint  is  an  inequality 
between  two  types  that  are  security  levels.  For  example,  if  x  is  type  high  and  x'  is  type 
low  then  x'  <  x  is  a  constraint.  Note  that  x'  =  x  is  equivalent  to  x'  <  x  and  x  <  x’.  It  is 

important  to  note  also  that  the  algorithm  produces  constraints  among  type  variables, 

where  a  type  variable  ranges  over  types  like  high  and  low.  Constraint-set  satisfiability 
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can  be  used  on  the  set  of  constraints  to  determine  whether  illegal  flows  exist  in  the 
program  being  analyzed,  for  instance,  if  a  constraint  set  contains  high  <  low. 

The  classifications,  or  types,  over  which  type  variables  range,  depend  on  the 
system  being  modeled.  In  a  typical  military  system,  the  types  would  be  unclassified, 
confidential,  secret,  and  top  secret.  For  the  purposes  of  this  discussion,  we  consider  a 
simple  system  of  only  two  types,  high  and  low,  where  low  <  high. 

As  an  example  of  how  the  algorithm  works,  consider  the  case  of  the  preceding 
assignment  statement,  y  :=  x.  Assuming  x  and  y  have  already  been  assigned  the  type 
variables  Xo  and  Xi  respectively,  the  following  set  of  constraints  will  be  generated  by  the 
type  inference  algorithm; 

{Xo<T2,  Xi  =  X2,X3<X2} 

Therefore,  the  principal  type  of  the  expression  is  X3  cmd.  The  constraint  set  can  be 
simplified  to  {xo<  xi,  X3  <  xi}.  So,  for  the  assignment  statement  y  :=  x,  the  algorithm 

states  that  the  classification  of  y  must  be  at  least  as  high  as  the  classification  of  x.  The 

second  constraint  allows  downward  coercion  on  command  types  [7]. 

D.  AN  IMPLEMENTION  OF  THE  ALGORITHM 

This  thesis  presents  a  Java  program  that  implements  the  type  inference  algorithm. 

The  program  is  generated  from  a  specification  that  is  input  to  a  compiler  compiler  called 

JavaCC.  JavaCC  is  a  tool  that  reads  a  grammar  specification  written  in  a  LEX/  YACC- 

like  manner  and  converts  it  into  a  parser  for  the  grammar.  The  algorithm  was 

incorporated  into  a  grammar  specification  for  Java  1.0.2  supplied  with  the  JavaCC 

distribution.  The  actions  specified  by  the  algorithm  were  performed  by  adding  Java  code 
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(semantic  actions)  to  the  corresponding  productions  in  the  grammar  specification.  The 
generated  parser  is  a  secure  flow  analyzer  for  a  subset  of  Java.  Several  statements, 
expressions,  and  other  Java  functionality  were  removed  from  the  grammar  specification 
because  they  are  not  currently  supported  by  the  type  inference  algorithm 
E,  THESIS  ORGANIZATION 

Work  in  the  area  of  secure  information  flow  and  a  lattice  model  of  secure 
information  flow  are  discussed  m  Chapter  II,  followed  by  a  description  of  the  secure  flow 
type  system  in  Chapter  HI.  The  type-inference  algorithm  is  discussed  in  Chapter  IV.  In 
Chapter  V,  the  static  analyzer  and  the  Java  subset  we  consider  are  discussed.  Chapter  VI 
gives  an  example  run  of  the  analyzer,  and  Chapter  Vn  discusses  some  possible  future 
work  and  presents  conclusions  about  secure  flow  analysis  and  the  static  analyzer. 
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II.  THE  LATTICE  MODEL  OF  SECURE  INFORMATION  FLOW 


The  security  mechanisms  of  most  computer  systems  do  not  attempt  to  detect  or 
prevent  insecure  information  flows.  Computer  system  security  requires  that  programs  at 
high  security  levels  be  unable  to  transfer  information  to  low  security  users  or  programs. 
Most  access  control  mechanisms  are  concerned  with  direct  access  control  and  are  not 
concerned  with  information  flow  channels  that  may  exist.  Other  systems  rely  on  the 
trustworthiness  of  processes  [5]. 

In  the  lattice  model  of  secure  flow,  a  flow  policy  is  represented  by  the  poset 
[5].  S  is  a  set  of  security  classes  and  is  a  partial  order,  called  the  flow 

relation.  The  flow  relation  specifies  permissible  flows  between  the  security  classes. 
Every  variable  x  is  assigned  a  security  class,  denoted  x,  that  is  statically  bound  to  x  and 
that  can  be  determined  at  conqiile  time  from  declarations  given  in  the  program.  If  x  and 
y  are  variables  in  a  program  and  an  information  flow  from  x  to  y  exists,  then  the  flow  is 
allowed  if  x  y  [6]. 

Each  programming  construct  has  a  certification  rule.  Some  rules,  such  as 
assignment  statements,  certify  explicit  flows  and  other  rules,  such  as  if  statements,  certify 
implicit  flows.  An  assignment  statement,  x  :=  y,  will  be  certified  if  x  y.  The  rules  for 
conditional  constructs  such  as  the  following  if  statement  certify  implicit  flows. 

if  X  =  0  then  y  :=  0  else  z  :=  1 
This  statement  is  certified  if  x  y  and  x  ^  z. 

If  the  poset  <S,  ‘^>  is  a  lattice,  then  there  is  a  unique  least  upper  bound  and 

greatest  lower  bound  for  any  pair  of  classes.  A  simple  grammar  consisting  of  synthesized 

attributes  can  be  given  to  certify  programs.  The  attributes  are  security  classes  computed 
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using  the  least  upper  bound,  lub,  and  greatest  lower  bound,  gib,  operations.  For  example, 
the  certification  requirement  for  the  above  if  statement  becomes  the  single  condition 
X  glb(y,  z)  [6]. 
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in.  A  SECURE  FLOW  TYPE  SYSTEM 


Volpano,  Irvine,  and  Smith  describe  a  type  system  consisting  of  a  set  of  type 
inference  rules  and  axioms  for  deriving  typing  judgements.  The  types  of  the  system  are 
divided  into  three  levels.  One  level  contains  data  types,  which  we  refer  to  as  r  types. 
These  are  the  security  classes  of  Denning's  model  and  they  are  partially  ordered,  for 
example,  low  <  high. 

At  the  next  level,  are  the  tt  types.  They  consist  of  the  data  types  t,  command 
types  T  cmd  and  the  procedure  types 

zprocixi,  t2  var,  ts  acc) 

A  variable  of  type  t  var  means  it  can  store  information  at  level  r.  A  command  has  type 
T  cmd  only  if  every  assignment  in  the  command  is  made  to  a  variable  whose  security 
level  is  T  or  higher.  Lastly,  the  t  in  the  above  procedure  type  refers  to  the  security  level 
of  its  body.  That  is,  a  call  to  a  procedure  of  this  type  would  have  type  t  cmd. 

At  the  third  and  final  level  are  the  p,  or  phrase,  types.  They  consist  of  are  the 

n  types,  type  t  var  and  type  t  acc  (we  ignore  type  t  acc).  So,  our  procedure  types,  in  this 
this,  are  of  the  form: 

Tproc{xivar,...,XoVar) 

The  partial  order  on  t  types  is  extended  to  a  subtype  relation  over  phrase  types. 
The  subtype  relation  is  anti-monotonic  in  the  types  of  the  commands,  meaning  if  t  is  a 
subtype  of  t* ,  then  t'  cmd  is  a  subtype  of  t  cmd.  The  intuition  here  is  that  if  one  can  read 
level  t'  (high)  information  then  they  can  read  level  t  (low)  information.  There  is  also  a 
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typical  type  subsumption  rule  that  states  if  a  phrase  has  type  p  then  it  can  be  assigned  a 
type  p'  if  p  is  a  subtype  of  p'  [7]. 

The  typing  rules  of  the  system  guarantee  secure  explicit  and  implicit  flow. 
Consider  the  typing  rule  for  assignment: 

7 1-  X  :  T  var 

y\-q:  t _ 

y\-  X  :=  e  :  zcmd 

where  7  is  an  identifier  typing  that  maps  identifiers  to  p  types.  The  rule  states  that  the 
explicit  flow  from  expression  e  to  variable  x  is  secure  if  e  and  x  have  the  same  security 
level.  This  does  not  prevent  e  from  having  a  lower  security  level  than  x,  because 
subtyping  allows  the  level  to  be  coerced  upward. 

The  next  example  shows  a  rule  that  deals  with  a  situation  where  an  implicit  flow 
exists.  Consider  the  following  program  phrase  where  x  is  either  0  or  1 : 
if  X  =  1  then  y  :=  1  else  y  :=  0 

There  is  no  ei^licit  flow  from  x  to  y,  but  when  the  phrase  is  executed,  y  will  contain  the 

value  of  X.  To  guarantee  the  implicit  flow  from  x  to  y  is  secure,  the  following  typing  rule 
is  used: 

7|-  e :  T 
7 1-  c  :  T  cmd 

y|-  c* :  Tcmd _ 

7|-  if  e  then  c  else  c' :  xcmd 

The  commands  c  and  c'  must  have  type  x  cmd,  because  information  of  type  x  is  implicitly 
known  by  evaluating  the  predicate  e.  Therefore  c  and  c'  can  only  make  assignments  to 
variables  at  security  level  x  or  higher.  The  rule  requires  e,  c,  and  c'  to  have  the  same 
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security  level,  namely  r.  Nevertheless,  an  upward  implicit  flow  from  e  to  c  and  c'  can  be 
accommodated  by  subtyping. 

There  is  also  a  rule  for  local  variable  declarations.  A  local  variable  declaration  of 
the  form 

letvar  x  :=  e  in  c 

creates  a  variable  x  with  an  initial  value  e,  whose  scope  is  command  c.  The  initialization 
of  X  may  cause  an  implicit  flow,  but  it  is  always  harmless. 

Two  lemmas  are  needed  to  prove  type  soundness:  Simple  Security  and 
Confinement.  Simple  Security  applies  to  expressions  and  Confinement  applies  to 
commands.  If  an  expression  e  can  be  assigned  type  t,  then  Simple  Security  states  that 
only  variables  of  type  t  or  lower  will  be  read  when  e  is  evaluated  (no  read  up). 
Confinement  says  that  if  a  command  c  can  be  assigned  type  t  cmd,  then  every  variable 
that  is  updated  in  c  has  security  level  t  or  higher  (no  write  down).  These  two  lemmas  are 
used  to  prove  that  the  type  system  is  sound.  Soundness  is  formulated  as  a 
noninterference  property.  The  noninterference  property  states  that  variables  in  a  well- 
typed  program  do  not  interfere  with  variables  at  lower  security  levels. 

It  is  possible  to  automatically  check  whether  a  program  is  well  typed,  using  the 
techniques  of  type  inference.  The  basic  idea  of  type  inference  is  to  use  type  variables  to 
represent  unknown  types  in  a  program,  and  to  generate  constraints  iu  the  form  of 
inequalities.  An  assignment  of  types  to  these  variables  must  satisfy  the  constraints  in 
order  for  the  program  to  be  well  typed  with  respect  to  that  assignment.  A  principal  type 
can  be  formulated  that  represents  all  possible  types  the  program  can  be  given. 
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IV.  A  SECURE  FLOW  TYPE  INFERENCE  ALGORITHM 


A  type  inference  algorithm  that  ensures  secure  information  flow  is  described  in 
this  chapter.  Volpano  and  Smith  have  extended  the  type  system  discussed  in  the  previous 
chapter  to  a  simple  language  with  first  order  procedures  [3].  They  also  prove  the 
noninterference  property  for  the  system  in  order  to  establish  the  type  soundness  in  the 
context  of  procedures.  Figure  1  shows  the  core  language  they  considered. 

expressions  ::=  x  |  «  |  / 1 
+  ^2  I 

proc(in  xj,  inout  X2,  out  x^)  c 

commands  ::=  cj;  C2  \ 

if  e  then  ci  else  C2  \ 
while  e  do  c  I 
Qi  :=e2| 

letvar  x  :=  e  in  c  | 

letproc  X  (in  xy,  inout  X2,  out  x^)  c  in  c'  | 
e{ei,e2,es) 

Figure  1.  Core  Language 

For  expressions,  meta-variable  x  ranges  over  identifiers,  n  ranges  over  integer  literals, 
and  /  ranges  over  locations.  Ejqjressions  also  consist  of  anonymous  procedure 
e5q)ressions.  Their  names  are  provided  via  letproc. 

Commands  consist  of  the  following:  composition  of  commands,  if,  while  loops, 
assignment,  variable  declarations,  procedure  declarations,  and  procedure  calls. 

Volpano  and  Smith  give  a  secure  flow  type  inference  algorithm  in  [3].  It  is  shown 
in  Figure  2  and  is  defined  by  cases  on  the  phrases  of  the  core  language.  The  algorithm 
takes  as  inputs  a  location  typing  A,  an  identifier  typing  y,  a  program  phrase  p,  and  a  set  of 
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Figxire  2.  Volpano-Smith  Type  Inference  Algorithm 
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type  variables  V.  A  location  typing  maps  addresses  to  t  types  and  an  identifier  typing 
maps  variables  to  types  t  and  t  var,  for  some  t.  The  latter  treats  free  variables  in  a 
program,  while  the  former  treats  free  addresses.  We  shall  assume  programs  have  no  free 
addresses,  and  drop  A  from  the  implementation  of  the  type  inference  algorithm.  The  set  V 

contains  a  list  of  previously-used  type  variables  and  allows  the  algorithm  to  choose  new 

% 

type  variables.  If  the  algorithm  succeeds,  it  returns  a  triple  consisting  of  a  set  of 
constraints  C,  a  type  n,  and  the  updated  set  of  stale  variables  V.  The  constraints  in  C  are 
inequalities  among  type  variables. 

To  illustrate  how  the  algorithm  works,  we  give  an  example  from  [3],  shown  in 
Figure  3,  of  a  procedure  that  indirectly  copies  a  variable  x  to  another  variable  y. 

proc  (in  x,  out  y) 
letvar  a  :=  x  in 
letvar  b  :=  0  in 
while  a  >  0  do 
b  :=b+  1; 
a  :=a- 1; 
y:=b 

Figure  3.  Example  Program 

Figure  4  shows  the  results  of  calling  the  algorithm  on  the  procedvire.  The  algorithm  yields 
a  triple  consisting  of  a  set  of  stale  type  variables  V,  the  list  of  generated  constraints  and 
the  type  of  the  procedure,  here  denoted  by  n .  This  triple  is  used  to  form  the  principal 
type  for  the  procedure. 

Type  simplification  can  be  used  to  simplify  the  constraint  set  C  and  type  n  [8]. 

The  static  analyzer  developed  for  this  thesis  does  not  include  any  mechanism  to  perform 
type  simplification  and  such  simplification  is  shown  here  for  demonstration  purposes 
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V  =  {a,  Y,  V,  o,  s,  i,  C  V,  6,  rj,  0,  k,X,P,^ 

C=  {a<Y,  v=  o,  f  =  i,  v<e,  s=  ^  ySe,  i=  v,  S=  7,  i<S, 

JJ=  0,S<  Tj,Y=  K  v<r,  K=  X,  y<K  p  =  4,  o<p  S<^ 
n=  (v  proc(a,;5acc)) 

Figure  4.  Algorithm  Results  of  Sample  Program 

only.  The  first  step  collapses  the  strongly  connected  types  and  produces  a  more  useful 
form,  as  shown  in  Figure  5. 


V=  {a,o,d,^ 

C=  {8<4o<X,X<8,  a<K) 

7t  =  (o  proc(a,  4accS) 

Figure  5.  Algorithm  Results  after  Type  Simplification 
Further  simplification  is  possible  leading  to  the  7t  in  Figure  6. 


It  =  (^proc(^,  4accj) 

Figure  6,  Principal  Type  after  Applying  Monotonicity-Based  Instantiations 


14 


V.  IMPLEMENTATION  OF  THE  TYPE  INFERENCE  ALGORITHM 
The  static  analyzer  that  perfbnns  the  security  checks  specified  by  the  type 
inference  algorithm  was  developed  using  the  Java  Compiler  Compiler  (JavaCC).  JavaCC 
takes,  as  input,  a  grammar  specification.  The  output  is  a  Java  program  that  will  parse  the 
specified  language  and  perform  the  semantic  actions  indicated  in  the  grammar 
specification. 

Rather  than  start  from  scratch  and  build  a  JavaCC  specification  for  the  language 
in  Figure  1 ,  we  started  with  a  grammar  specification  for  Java  1 .0.2,  which  we  modified  to 
reflect  the  language  in  Figure  1.  Semantic  actions  were  added  to  encode  the  type 
inference  algorithm.  The  specification  is  given  in  Appendix  A.  There  are  several 
restrictions  imposed  on  the  kinds  of  Java  programs  that  the  static  analyzer  can  check 
because  there  are  many  constructs  in  the  Java  language  that  are  not  currently  treated  in 
the  type  inference  algorithm.  Each  of  the  phrases  in  Figure  1  was  mapped  to  a 
corresponding  expression  or  statement  in  the  Java  grammar  specification. 

A.  A  BRIEF  LOOK  AT  JAVACC 

JavaCC  constructs  a  Java  program  that  acts  as  a  recursive  descent  parser  for  the 
language  described  by  the  grammar  specification.  A  sample  from  the  Java  1.0.2  grammar 
specification  is  shown  in  Figure  7.  The  sample  shows  three  productions  that  are  used  to 
parse  a  Java  method  declaration  and  parameters.  JavaCC  converts  each  production  into  a 
method  in  the  generated  parser. 
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void  MethodDeclarator ( )  : 

{} 

{ 

<IDENTIFIER>  FormalParameters { )  (  "["  "]"  )* 

} 

void  FormalParameters ( )  : 

{) 

{ 

"("  [  FormalParameter ( )  (  FormalParameter ( )  )*  ]  ")" 


void  FormalParameter ( )  : 

{} 

{ 

TypeO  VariableDeclaratorldO 

} 


Figure  7.  Sample  Productions 

Each  production  begins  with  the  return  type  of  the  corresponding  method  in  the 
parser,  which  is  void  for  the  three  productions  in  Figure  7.  The  name  of  the  production 
will  also  be  the  name  of  the  method  in  the  parser.  Parameter  passing  can  be  adding  to  the 
productions  in  the  same  way  it  is  used  in  Java  programs. 

There  is  a  notion  of  "calling"  a  production  because  of  its  relationship  with  the 
corresponding  method  in  the  generated  parser.  For  example,  if  the  production 
FormalParameter  ( )  in  Figure  7  is  called,  it  will  in  turn  call  the  productions 
Type { )  and  VariableDeclaratorld  ( )  . 

Java  code  can  be  added  anywhere  in  the  production,  but  must  be  enclosed  in  curly 
braces,  "{  }".  When  JavaCC  converts  the  production  into  its  corresponding  method,  the 
added  code  will  remain  where  it  was  placed.  Local  variable  declarations  for  any 
production  should  be  inserted  in  the  first  set  of  curly  braces  of  that  production.  In  the 
three  productions  shown  in  Figure  7,  there  are  no  local  variable  declarations. 
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B.  IMPLEMENTEVG  THE  ALGORITHM  USING  JAVACC 

There  are  two  main  data  structures  in  the  implementation  of  the  algorithm  The 
first  is  called  gamma,  and  contains  identifier  typings.  The  second  is  called  triple,  and 
consists  of  the  items  returned  by  the  type  inference  algorithm,  namely,  a  set  of  constraints 

C,  a  type  n,  and  a  list  of  stale  type  variables  V. 

The  initial  attempt  to  implement  the  algorithm  used  two  Stacks  from  the  Java 
utility  package.  The  gamma  stack  held  objects  called  gamma  items.  A  gamma  item 
consisted  of  a  variable  name  and  its  type  variable.  The  triple  stack  contained  the  triple 
items  consisting  of  the  constraint  set  in  the  form  of  a  linked  list  and  the  principal  type. 

The  set  of  stale  type  variables  was  kept  in  a  separate  symbol  generator  for  the  entire 
program. 

The  idea  of  the  gamma  stack  was  to  push  a  gamma  item  whenever  a  new  variable 
was  encountered  and  to  pop  the  stack  when  the  variable's  scope  ended.  It  became 
apparent  that  determining  when  the  variable's  scope  ended  was  going  to  be  a  difficult  task 
unless  the  analyzer  kept  track  of  more  information  about  the  variables  being  declared. 

The  analyzer  soon  had  four  separate  stacks  to  keep  track  of  the  important  information. 

The  triple  stack  had  similar  problems. 

It  was  determined  that  all  of  the  external  stacks  could  be  eliminated  if  the  run  time 
stack  was  utilized.  In  this  implementation,  gamma  became  a  linked  list  of  gamma  items 
that  is  passed  as  a  parameter  from  one  production  to  those  productions  it  calls.  In 
addition,  each  production  returns  a  triple  that  contains  all  the  constraints  generated  in  the 
program.  This  did  pose  one  problem.  A  local  variable  declaration  requires  an  update  to 
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the  gamma  list  with  the  variable's  type  information  and  it  also  requires  the  generation  of  a 
new  triple  item.  Both  must  be  returned  to  the  calling  production. 

This  problem  may  be  overcome  by  adding  new  productions  to  the  specification 
but  the  productions  were  not  added  in  this  implementation.  Instead,  a  new  data  structure 
was  developed  to  simply  hold  the  new  gamma  list  and  the  generated  triple  so  that  both 
the  gamma  list  and  the  generated  triple  could  be  returned.  The  structure,  called  Dual,  was 
later  updated  to  also  hold  a  string  when  a  similar  situation  arose  in  the  method  declaration 
production  that  required  a  gamma  list  and  the  string  representation  of  a  token  to  be 
returned. 

Each  of  the  commands  and  expressions  of  the  core  language  listed  in  Figure  1  are 
"mapped"  to  one  or  more  productions  in  the  Java  1.0.2  grammar  specification.  Mapping 
the  algorithm  to  the  Java  specification  was  performed  in  two  steps.  The  first  step  was  to 
determine  which  productions  in  the  grammar  specification  correspond  to  commands  or 
expressions  in  the  core  language.  Once  the  relationship  between  the  core  language  and 
grammar  specification  was  established,  the  second  step  entailed  encoding  the  semantic 
actions  specified  by  the  algorithm  and  placing  the  code  in  the  corresponding  productions 
of  the  grammar  specificatioa  We  consider,  in  turn,  each  of  the  cases  of  the  algorithm  in 
Figure  2. 

Case  "x” 

The  Name  ( )  production  in  the  grammar  file  is  an  instance  of  case  x.  Name  { ) 
returns  a  string  representation  of  the  current  token  when  the  production  is  called.  The 
type  inference  algorithm  requires  the  type  of  x,  t  or  t  var,  to  be  determined.  The  type 
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resolution  of  the  token  that  corresponds  to  x  is  performed  within  the  production  that  calls 
Name  ( ) . 

Case  "n" 

The  Literal  ( )  production  is  an  instance  of  case  n.  Literal  ( )  accepts  the 
Java  primitive  types  of  integers,  floating  point  numbers,  characters,  strings,  boolean 
values  "true"  and  "felse",  and  "null". 


Case  "1" 

The  third  case  statement,  /,  deals  with  locations  and  is  not  implemented  in  the 
Java  grammar. 

Case  "ei  +  ei” 

The  expressions  below  are  all  instances  of  case  ei  +  ez' 

ConditionalOrExpression ( ) 

ConditionalAndExpression ( ) 

InclusiveOrExpression ( ) 

ExclusiveOrExpression ( ) 

AndExpression ( ) 

EqualityExpression ( ) 

RelationExpression ( ) 

ShiftExpression ( ) 

AdditiveExpression ( ) 

MultiplicativeExpression ( ) 

Case  ”proc(iii  xi,  inont  X2,  out  X3)  c" 

The  case  in  the  algorithm  for  procedure  declarations  has  the  following  form: 
proc(m  xi,  inout  X2,  out  X3)  c 

The  modes  of  the  parameters,  in;  inout;  and  out,  are  similar  to  those  used  in  the  Ada 
programming  language.  The  productions  dealing  with  procedures  starts  with  the 
MethodDeclaration  { )  production.  The  name  of  the  procedure  and  the  parameters 
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are  treated  in  a  call  to  the  MethodDeclarator  ( )  production.  The  parameters  are 
added  to  the  environment  with  a  call  to  the  FormalParameters  ( )  production  so  they 
may  be  referenced  in  the  body  of  the  procedure.  MethodDeclarator  ()  returns  the 
procedure  name  and  the  types  of  the  parameters.  All  parameters  are  considered  to  be 
inout  mode  and  are  typed  as  such,  meaning  they  have  type  t  \ar  for  some  t.  Finally  the 
body  of  the  procedure,  c,  is  handled  in  a  call  to  the  Block  ( )  production.  The  static 
analyzer  does  not  handle  recursive  procedures  or  method  declarations. 

Case  *'ci;  C2" 

Next  in  the  algorithm  is  the  statement  for  composition,  ci;  C2.  Composition  within 
a  block,  delimited  by  { } ,  is  handled  by  the  BlockStat  ementList  ( )  production. 

The  original  Java  grammar  specification  handled  composition  in  the  Block  ( ) 
production.  It  was  necessary  to  add  the  production  BlockStatementList  ( )  to 
handle  the  letvar  statement.  Changes  to  the  grammar  specification  for  the  letvar 
statement  are  explained  later  in  this  section. 

Case  ”if  e  then  ci  else  02" 

If-then-else  statements  are  handled  by  the  If  Statement  ( )  production  in  the 
grammar  specification.  The  else  portion  of  the  statement  is  not  mandatory  in  Java.  If  it 
is  not  used,  then  the  semantic  actions  in  the  algorithm  pertaining  to  the  else  statement  are 
not  executed. 

Case  "while  e  do  c" 

The  next  case  is  the  while  loop  of  the  form,  while  e  do  c.  It  has  been  mapped  to 
both  the  WhileStatement  ( )  and  DoStatement  ( )  productions  in  the  Java 
specification. 
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Case  "x  :=  e” 


The  assignment  statement  x  :=  e  is  mapped  to  Assignment  ( ) .  Note  that " :  =" 
is  not  the  only  assignment  operator  allowed;  others  include:  " /=",  and 

A  modification  to  the  grammar  specification  was  required  here.  The  Java  1.0.2  grammar 
specification  Assignment  ( )  production  is  listed  in  Figure  8.  The  production, 
PrimaryExpression  ( ) ,  may  be  evaluated  as  a  literal  ( ) ,  Name  ( ) , 
Expression 0, or AllocationExpressionO.  PrimaryExpression ( )  is 
also  called  from  a  number  of  other  productions  as  well  and  those  productions  require  that 
PrimaryExpression  ( )  return  a  triple  consisting  of  a  constraint  set,  a  type,  and  a  list 
of  stale  type  variables.  However,  the  Assignment  ( )  production  requires  that 
PrimaryExpression  ( )  return  the  type  of  x  from  the  identifier  typing  y.  Forthis 
reason,  a  new  production,  PrimaryLef  tExpression  ( ) ,  was  introduced  into  the 
Grammar  specification.  It  returns  the  string  representation  of  x,  so  that  it  may  be 
referenced  in  y,  and  replaces  PrimaryExpression  ( )  in  the  Assignment  { ) 
production. 

void  Assignment  {)  ; 

{} 

{ 

^  PrimaryExpression ( ) AssignmentOperator ( ) Expression ( ) 

Figure  8.  Assignment  Production 
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Case  "letvar  x  :=  e  in  c” 


Mapping  the  letvar  statement  to  the  Java  language  required  another  modification 
to  the  Java  grammar  specification.  The  original  specification  handled  local  variable 
declarations  at  the  same  level  as  all  other  statements  within  BlockStatement  ( ) .  The 
original  Java  specification  productions  that  handle  local  variable  declarations  are  shown 
in  Figure  9. 


void  Block  0  : 

{} 

{ 

"{"  (  BlockStatement ( )  )* 

} 

void  BlockStatement ( )  : 

{} 

{ 

LOOKAHEAD (Type  0  <IDENTIFIER>) 

LocalVariableDeclaration ( )  ” ;  " 

I 

Statement ( ) 

} 

void  LocalVariableDeclaration ( )  : 

{} 

{ 

Type()  VariableDeclarator ( )  (  VariableDeclarator ( )  )* 

} 


Figure  9.  Java  Specification  Productions  to  Handle  Local  Variable  Declarations 
In  the  original  grammar  specification,  composition  is  handled  in  the  Block  ( ) 
production.  The  *  operator  indicates  that  the  production(s)  within  the  preceding  set  of 
parentheses  is  called  zero  or  more  times.  Two  new  productions, 
BlockStatementList  ( )  and  LetvarStatement  ( ) ,  were  added  to  the  grammar 
specification  because  it  is  necessary  to  pass  the  identifier  typing  y,  updated  with  a  typing 
for  X,  to  the  production  that  parses  c  in  letvar  x  =  e  in  c.  The  original  Java  1 .0.2  grammar 
specification  had  no  productions  specified  for  c,  so  BlockStatementList  ( )  was 


22 


introduced  to  handle  this  problem.  In  the  modified  grammar  specification,  Block  ( ) 
calls  BlockStatementList  ( )  once  per  BlockStatement  { ) . 
BlockStatementList  ( ) ,  the  production  used  to  handle  composition,  calls 
BlockStatement  ( )  zero  or  more  times.  BlockStatement  { )  calls 
Letvar  Statement  ( )  if  a  local  variable  declaration  is  found,  otherwise. 

Statement  ( )  is  called.  LetvarStatement  ( )  first  calls 
LocalVariableDeclaration  ( )  to  handle  the  declaration,  then 
BlockStatementList  ( )  to  parse  the  rest  of  the  program  that  is  within  the  scope  the 
new  variable.  The  section  of  the  modified  grammar  file  is  listed  in  Figure  10. 

Case  "letproc  x(in  xi,  inout  xi,  out  X3)c  in  c’  " 

The  next  case  in  the  type  inference  algorithm,  letproc,  allows  procedures  to  be 
used  polymorphically  and  was  not  implemented  in  the  Java  grammar  specification. 
Therefore,  all  procedures  are  treated  as  monomorphic  in  the  analj^r  specification. 
Moreover,  only  static  methods  are  allowed  because  that  is  the  only  kind  of  method  the 
algorithm  treats. 

Case  "e(ei,  62, 63)" 

The  final  case  in  the  algorithm  types  procedure  calls.  The  Java  specification 
handles  procedure  calls  in  the  PrimaryPref  ix  ( )  production.  First,  the 
name  of  the  procedure  is  found  in  the  identifier  typing ,  y,  then  the  types  of  the  arguments 
are  conq)ared  with  those  retrieved  fi-om  y.  The  original  grammar  specification  for  Java 
allowed  arguments  to  be  expressions.  In  the  modified  specification,  all  parameters  must 
be  either  a  literal  or  a  previously  declared  and  initialized  variable  name. 
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void  Block ( )  : 

{} 

{ 

"{”  BlockStatementList ( )  "}" 

) 

void  BlockStatementList ( )  : 

{} 

{ 

(  LOOKAHEAD (2)  BlockStatement ( )  )* 

} 

void  BlockStatement ( )  : 

{} 

{ 

LOOKAHEAD (  Type ( )  <IDENTIFIER>  ) 

LetvarStatement ( ) 

1 

Statement ( ) 

) 

void  LetvarStatement  ( )  : 

{} 

{ 

LocalVariableDeclaration ( )  BlockStatementList ( ) 


void  LocalVariableDeclaration ( )  : 

{) 

{ 

TypeO  VariableDeclarator ( )  (  VariableDeclarator ( )  )* 


Figure  10.  Specification  Changes  for  letvar  Statement 


All  of  the  source  code  files  used  to  implement  the  static  analyzer  are  given  in 
Appendix  B. 


C.  RESTRICTIONS  IMPOSED  ON  PROGRAMS 


The  type  mference  algorithm  in  [3]  does  not  treat  an  object-oriented  language  like 
Java.  Although  we  started  with  a  JavaCC  specification  for  Java,  the  result  was  not  an 
analyzer  for  fiill  Java  but  rather  an  analyzer  for  that  subset  of  Java  corresponding  to  the 
simple  language  in  Figure  1.  So  how  big  is  this  subset? 
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First,  the  subset  that  can  be  analyzed  has  no  objects,  and  consequently  no  instance 
variables  or  instance  methods. 

Second,  all  expressions  must  be  free  of  any  side  effects.  This  is  the  reason  that 
assignment  expressions  in  Java  are  prohibited,  as  are  pre  and  post  increment 
"expressions".  They  all  violate  the  confinement  property. 

Other  restrictions  on  Java  programs  include  that  they  be  closed  (no  free 
variables),  that  they  have  only  non-recursive  static  methods,  that  they  have  no  methods 
with  a  return  type  other  than  void,  and  that  they  have  no  forward  references.  Yet,  other 
restrictions  are  imposed  because  certain  constructs  were  not  treated  in  the  algorithm  of 
[3].  They  include  try-catch  blocks,  synchronized  blocks  and  so  on.  In  summary,  the 
following  features  of  Java  are  not  analyzed: 

1.  Static  Initializes 

2.  Arrays 

3 .  Explicit  Constructor  Invocation 

4.  Conditional  Expressions 

5.  Instanceof Expressions 

6.  Preincrement  and  PreDecrement  Expressions 

7.  Postincrement  and  PostDecrement  Expressions 

8.  Cast  Expressions 

9.  Allocation  Expressions  -  (object  creation) 

10.  Labeled  Statements 

11.  Switch  Statements 

12.  For  Statements 

13.  Break  Statements 

14.  Continue  Statements 

15.  Return  Statements 

16.  Throw  Statements 

17.  Synchronized  Statements 

18.  Try  Statements 

19.  Catch  Statements 

20.  Finally  Statements 
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The  constructs  that  have  been  disallowed  have  only  been  commented  out  in  the 
grammar  specification  file  listed  in  Appendbc  A  in  order  to  allow  for  their 
implementation  in  the  future.  This  means  they  cannot  be  parsed  in  the  current 
implementation. 
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VI.  AN  EXAMPLE  RUN  OF  THE  STATIC  ANALYZER 


The  program  in  Figure  1 1  illustrates  an  application  of  the  static  analyzer.  It 
corresponds  to  the  example  program  of  Figure  3,  in  Chapter  HI,  written  in  Java. 
However,  it  is  not  identical,  for  Java  has  no  parameter-passing  mode  corresponding  to 
mode  out.  Nevertheless,  it  serves  to  illustrate  the  analyzer.  The  results  of  the  static 
analyzer  when  run  on  this  program  are  shown  in  Figure  12. 


class  test 
{ 

public  static  void  p(int  x,  int  y) 
{ 

int  a  =  x; 
int  b  =  0; 
while  (a  >  0)  { 
b  =  b  +  1; 
a  =  a  -  1; 

} 

y  =  b; 

} 

} 


Figure  11.  Static  Analyzer  Test  Program 


V  {^0,  ^2>  ^3>  ^4>  ^5)  ^6}  ”t7,  Xg,  T9,  Tio,  Tn,  Ti2j  T13,  T14} 

C  =  {Ti4  =  Ti2,  Ti2  <  t4,  Tg  =  t4,  T5  =  t4,  T2  <  T4,  Tu  =  Tg,  Tg  <  Te,  Te  =  T3,  T?  =  Te, 

T3  <  X6,  Til  <  T9, T9  =  T2,Tio  =  T9,  T2  <  T9,  T14  <  T13,  Ti  =  T13,  T3  <  T13,  To  <  T2} 

7t=  Ti2proc(Tovar,  Tivar) 


Figure  12.  Test  Program  Resuhs 


We  sketch  a  trace  of  the  analyzer  on  part  of  the  program.  The  parameters,  x  and 
y ,  are  the  first  tokens  to  be  analyzed.  They  are  assigned  the  type  variables  To  and  ti 
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respectively.  Then  the  variable  declaration: 

int  a  =  X 

IS  analyzed.  A  new  type  variable  for  x,  namely  X2,  is  created  and  the  constraint  set 
{to  <  T2}  is  generated.  The  constraint  is  generated  by  the  case  for  identifiers  where  an 

upward  coercion  is  introduced  (see  Figure  2).  The  variable  a  is  assigned  the  type 
variable  12  in  analyzing  the  rest  of  the  program. 

Next,  the  variable  declaration: 

int  b  =  0 

is  analyzed  in  the  same  manner,  except  that  no  constraint  is  generated  since  0  is  an 
integer.  This  is  the  integer  literal  case  of  the  type  inference  algorithm.  Finally,  b  is 
assigned  the  type  variable  T3.  At  this  point,  gamma  contains  the  following  t}'pes: 

(x :  To ,  y :  Ti,  a  :  T2,  b  :  T3} 
and  only  one  constraint,  xo  <  T2,  exists. 

Next,  the  while  loop 

while (a  >  0) 

is  analyzed.  The  predicate,  a  >  0,  is  checked  first  and  generates  the  following  new 
constraints: 


T2  ^  T4,  T4  T5 

The  first  comes  from  the  identifier  case  of  the  algorithm  (upward  coercion  of  a's  type) 
and  the  second  comes  from  t,  =  Xj  in  the  case  for  d  +  02  in  the  algorithm  of  Figure  2, 
where  Xi  =  X4  and  Xj  =  x^  The  rest  of  the  program  is  analyzed  in  the  same  manner. 
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VII.  CONCLUSIONS 


As  we  rely  more  on  computer  systems,  secure  flow  analysis  is  a  necessary  tool  to 
protect  the  information  stored  on  these  systems.  Denning's  work  [1]  [5]  provides  a  good 
base  of  knowledge  for  secure  information  flow.  The  Lattice  Model  consists  of  a  set  of 
storage  objects,  a  set  of  processes,  and  a  set  of  security  classes.  Each  storage  object  is 
bound  statically  or  dynamically  to  a  security  class.  Security  classes  are  required  to  form 
a  lattice,  hence  the  name.  A  flow  relation  indicates  permitted  information  flows  between 
security  classes.  The  lattice  shows  all  allowed  information  flows  within  the  system. 

Volpano  and  Smith  [3]  treat  the  model  in  the  context  of  a  type  system  and  prove 
the  soundness  of  the  type  system.  They  also  give  a  type  inference  algorithm  for  the 
system.  This  thesis  describes  an  implementation  of  that  algorithm  using  JavaCC.  The 
result  is  a  static  analyzer  that  checks  for  secure  information  flow  at  compile-time. 

The  static  analyzer  can  only  analyze  a  subset  of  the  Java  1.0.2  language.  It  may 
be  too  limited  to  allow  one  to  write  interesting  and  useful  programs.  Future  work  might 
focus  on  analyzing  a  larger  subset  of  Java. 
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APPENDIX  A  -  JAVA  GRAMMAR  SPECIFICATION 


The  following  pages  represent  the  modified  Java  1.0.2  grammar  specification  that 
is  the  input  to  the  Java  Compiler  Compiler.  The  original  grammar  file  was  developed  by 
Sriram  Sankar  on  6/1 1/96  and  is  copyrighted  by  Sun  Microsystems  Inc.  Semantic  actions 
were  added  to  the  original  grammar  to  perform  secure  flow  analysis  on  a  subset  of  Java 
1.0.2  programs. 
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*  Copyright  (C)  1996,  1997  Sun  Microsystems  Inc.^ 

* 

*  Use  of  this  file  and  the  system  it  is  part  of  is  constrained  by  the 

*  file  COPYRIGHT  in  the  root  directory  of  this  system.  You  may, 

*  however,  make  any  modifications  you  wish  to  this  file. 

* 

*  Java  files  generated  by  running  JavaCC  on  this  file  (or  modified 

*  versions  of  this  file)  may  be  used  in  exactly  the  same  manner  as 

*  Java  files  generated  from  any  grammar  developed  by  you. 

* 

*  Author:  Sriram  Sankar 

*  Date:  6/11/96 

* 

*  This  file  contains  a  Java  grammar  and  actions  that  implement  a 

*  front-end. 

* 

*  Modified  24  Feb  98  by  LT  James  D.  Harvey,  USN. 

★ 


* 

* 

★ 

* 

* 

* 

* 

★ 

* 

* 

* 

★ 

* 

* 

★ 

★ 

★ 

* 

* 

★ 

★ 

* 

★ 

* 

* 

* 

*/ 


Modifications  have  been  made  to  incorporate  a  type  checker  into  the 
compiler.  Several  portions  of  the  Java  language  have  been  disabled 
in  this  version  because  the  type  checker  does  not  support  them.  The 
portions  that  are  not  implemented  are  as  follows: 

Static  Initializers 
Arrays 

Explicit  Constructor  Invocation 
Conditional  Expressions 
Instanceof  Expressions 

Preincrement  and  PreDecrement  expressions 

Cast  Expressions 

Allocation  Expressions 

Labeled  Statements 

Switch  Statements 

For  Statements 

Break  Statements 

Continue  Statements 

Return  Statements 

Throw  Statement 

Synchronized  Statement 

Try  Statement 


^  Permission  to  reproduce  has  been  obtained  from  Sriram  Sankar  of  Sun  Microsystems. 
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options  { 

LOOKAHEAD  =  1; 

JAVA_UNICODE_ESCAPE  =  true; 

} 

PARSER_BEGIN { JavaParser) 
import  thesis.*; 
public  class  JavaParser  { 

static  SymbolGenerator  sg  ==  new  S^TobolGenerator  ( )  ; 

public  static  void  main(String  args[])  { 

JavaParser  parser; 

Triple  ConstraintSet ; 

Gamma  gamma  =  new  Gamma  (  "myGamma" )  ; 


if  (args, length  ==  0)  { 

System. out .println { "Java  Parser  Version  1.0.2:  Reading  from 

standard  input  .  ,  ,"); 

parser  =  new  JavaParser (System. in) ; 

}  else  if  (args. length  ==  1)  { 

System. out.println( "Java  Parser  Version  1.0.2:  Reading  from  fil 

"  +  args[0]  +  "  .  .  .")  ; 

try  { 

parser  =  new  JavaParser (new  java.io.FilelnputStream(args [0] ) ) ; 
}  catch  ( java . io . FileNotFoundException  e)  { 

System. out .println ( "Java  Parser  Version  1.0.2:  File  "  + 

args[0]  4-  "  not  found."); 

return; 

} 

}  else  { 

System. out.println( "Java  Parser  Version  1.0.2:  Usage  is  one 

of: ") ; 

System. out .println {"  java  JavaParser  <  inputfile") ; 

System. out.println( "OR”) ; 

System. out .println ( "  java  JavaParser  inputfile"); 

return; 


try  { 

ConstraintSet  =  parser.CompilationUnit(gamma); 

System, out.println( "Java  Parser  Version  1.0.2:  Java  program 

parsed  successfully."); 

}  catch  (ParseError  e)  { 

System. out.println{ "Java  Parser  Version  1.0.2:  Encountered 

errors  during  parse."); 

} 


PARSER  END (JavaParser) 


SKIP  ;  /*  WHITE  SPACE  */ 
/ 

I 

II  II 


I  ’’\t" 

I  "\n" 
i  "\r" 

I  "\f" 

} 

SPECIAL_TOKEN  :  /*  COMMENTS  */ 

{ 

<SINGLE_LINE_COMMENT:  "//"  (~  [  "\ri",  "Xr"]  )  *  (  "\n"  1  *’\r"  I  "\r\n" )  > 
I  <FORMAL  COMMENT:  "/**"  1*  "*»  /<<*••  i  ,  r„L„ 


II*  If  ^  11/  II  j  (~  ["***])  * 

} 


"***))*  11/ 11;^  ' 

I  <MULTI_LINE_COMMENT :  "/*"  {~["*"])*  ('•*” 

ti*  >i  j  *  ti/  itj,  ' 


TOKEN  :  /*  RESERVED  WORDS  AND  LITERALS  */ 

{ 

<  ABSTRACT:  "abstract"  > 

I  <  BOOLEAN:  "boolean"  > 

I  <  BREAK:  "break"  > 

I  <  BYTE:  "byte"  > 

I  <  CASE:  "case"  > 

I  <  CATCH:  "catch"  > 

I  <  CHAR:  "char"  > 

I  <  CLASS:  "class"  > 

I  <  CONST:  "const"  > 

I  <  CONTINUE:  "continue"  > 

I  <  _DEFAULT;  "default"  > 

I  <  DO:  "do"  > 

I  <  DOUBLE:  "double"  > 

I  <  ELSE:  "else"  > 

I  <  EXTENDS:  "extends"  > 

I  <  FALSE:  "false"  > 

I  <  FINAL:  "final"  > 

I  <  FINALLY:  "finally"  > 

I  <  FLOAT:  "float"  > 

I  <  FOR:  "for"  > 

I  <  GOTO:  "goto"  > 

I  <  IF:  "if"  > 

I  <  IMPLEMENTS:  "implements"  > 

I  <  IMPORT;  "import"  > 

I  <  INSTANCEOF:  "instanceof"  > 

I  <  INT:  "int"  > 

I  <  INTERFACE:  "interface"  > 

I  <  LONG:  "long"  > 

I  <  NATIVE:  "native"  > 

I  <  NEW:  "new"  > 

I  <  NULL:  "null"  > 

I  <  PACKAGE;  "package"> 

I  <  PRIVATE:  "private"  > 

I  <  PROTECTED:  "protected"  > 

I  <  PUBLIC;  "public"  > 

I  <  RETURN:  "return"  > 
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<  SHORT:  "short”  > 

<  STATIC:  "static"  > 

<  SUPER:  "super"  > 

<  SWITCH:  "switch"  > 

<  SYNCHRONIZED:  "synchronized"  > 

<  THIS:  "this"  > 

<  THROW:  "throw"  > 

<  THROWS:  "throws"  > 

<  TRANSIENT:  "transient"  > 

<  TRUE:  "true"  > 

<  TRY:  "try"  > 

<  VOID:  "void"  > 

<  VOLATILE:  "volatile"  > 

<  WHILE:  "while"  > 


TOKEN  :  /*  LITERALS  */ 

{ 

<  INTEGER_LITERAL : 

<DECIMAL_LITERAL>  (["1","L"])? 
I  <HEX_LITERAL>  (  ["1", "L"] ) ? 

I  <OCTAL_LITERAL>  (["1","L"])? 


<  #DECIMAL_LI TEFAL:  ["l"-"9"]  (["0"-"9"])*  > 

1 

<  #HEX_LITERAL:  "0"  ["x","X"]  { ["0"-"9",  "a"-"f",  "A"-"F"] ) +  > 

I 

<  #OCTAL_LITERAL :  "0"  (["0"-"7"])*  > 

I 

<  FLOATING_POINT_LITERAL: 

(["0"-"9"])+  (["0"-"9"])*  (<EXPONENT»? 

(  ["f","F","d","D"] )? 

I  "."  (["0"-"9"])+  (<EXPONENT>) ?  ( ["f ", "F", "d", "D"] ) ? 

I  ( ["0"-"9"] )+  <EXPONENT>  ( [ "f ",  "F",  "d",  "D"] ) ? 

I  (["0"-"9"])+  (<EXPONENT>) ?  [ "f " , "F", "d", "D" ] 


<  #EXPONENT:  ["e","E"]  (["+","-"])?  (["0"-"9"])+  > 

<  CHARACTER_LITERAL: 

fi  f  ir 

(  (~["'","\\","\n","\r"] ) 

I  ("W" 

(  ["n", "t", "b", "r", "f", "\\", " ' ", 

I  ["0"-"3"]  ["0"-"7"]  ["0"-"7"] 

) 

) 

) 

Ti  I  ir 
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<  STRING_LITERAL: 

tT  tt  tt 

(  (''["\"’%"\\",”\n","\r"]) 

I  ("W" 

(  ["n",  "t",  "b",  "r”, "f", " ’ ", 

I  (  ["0"-"7’']  )? 

I  ["0"-"3"]  ["0"-"7"]  ["0"-"7"] 

) 

) 

)* 

II  'y  If  IT 

> 

) 

TOKEN  :  /*  IDENTIFIERS  */ 

{ 

<  IDENTIFIER:  <LETTER>  {<LETTER> | <DIGIT>) *  > 


<  #LETTER: 

[ 

"\u0024", 

"\u004I"= 

"\u005f", 

"\u0061"- 

"\uOOcO"- 

"\u00d8"- 

"\u00f8"- 

"\u0100"- 

"\u3040"- 

"\u3300"“ 

"\u3400"- 

"\u4e00"- 

"\uf900"- 

] 


"\u005a", 

”\u007a", 

"\u00d6", 

"\u00f6", 

"\u00ff", 

"\ulfff", 

"\u318f", 

"\u337f", 

"\u3d2d", 

"\u9fff", 

"\ufaff" 


> 


<  #DIGIT: 

[ 

"\u0030"- 

"\u0660"- 

"\u06f0"- 

"\u0966"- 

"\u09e6"‘ 

"\u0a66"- 

"\u0ae6"- 

"\u0b66"- 

"\u0be7"- 

"\u0c66"- 

"\u0ce6"- 

"\u0d66"- 

"\u0e50"- 

"\uOedO"- 

"\ul040"- 

] 

> 


"\u0039", 

”\u0669", 

"\u06f9", 

"\u096f", 

"\u09ef", 

’’\u0a6f", 

"\uOaef", 

"\u0b6f", 

"\uObef", 

"\u0c6f", 

"\uOcef", 

"\u0d6f", 

"\u0e59", 

"\uOed9", 

"\ul049" 
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TOKEN  :  /*  SEPARATORS  */ 

{ 

<  LPAREN:  "("  > 
i  <  RPAREN :  " ) "  > 

I  <  LBRACE:  > 

I  <  RBRACE:  > 

I  <  LBRACKET:  "["  > 

I  <  RBRACKET :  "  ]  "  > 

I  <  SEMICOLON:  > 

1  <  COMMA:  > 

I  <  DOT ;  " .  "  > 


TOKEN  :  OPERATORS  */ 

{ 

<  ASSIGN:  "=="  > 

1  <  GT:  ”>"  > 

I  <  LT:  "<"  > 
i  <  BANG:  "!"  > 

I  <  TILDE:  > 

I  <  HOOK;  > 

I  <  COLON:  > 

i  <  EQ:  "==”  > 

1  <  LE:  ”<=”  > 

I  <  GE;  ">=”  > 

I  <  NE:  "!="  > 

I  <  SC_OR:  "II"  > 

I  <  SC_AND:  "&&"  > 

I  <  INCR:  "++"  > 

I  <  DECK:  "  — "  > 

I  <  PLUS:  > 

I  <  MINUS:  > 

I  <  STAR:  > 

I  <  SLASH:  "/"  > 

I  <  BIT_AND:  > 

I  <  BIT_OR:  "I"  > 

I  <  XOR:  > 

I  <  REM:  > 

1  <  LSHIFT:  "«"  > 

I  <  RSIGNEDSHIFT:  "»"  > 

I  <  RUNSIGNEDSHIFT:  "»>"  > 

I  <  PLUSASSIGN:  "+="  > 

I  <  MINUSASSIGN:  > 

I  <  STARASSIGN;  "*="  > 

I  <  SLASHASSIGN:  "/="  > 

I  <  ANDASSIGN;  "&="  > 

I  <  ORASSIGN:  " 1="  > 

I  <  XORASSIGN:  > 

1  <  REMASSIGN:  "%="  > 

I  <  LSHIFTASSIGN:  "«="  > 

I  <  RSIGNEDSHIFTASSIGN:  "»="  > 

I  <  RUNSIGNEDSHIFTASSIGN:  "»>="  > 
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/***********************************■****** 

*  THE  JAVA  LANGUAGE  GRAMMAR  STARTS  HERE  * 

*******************************  *.*j^****^**^ 


/* 

*  Program  structuring  syntax  follows. 
*/ 

Triple  CompilationUnit (Gamma  gamma)  : 
{Triple  cs  =  null;) 

{ 

// [  PackageDeclaration ( )  ] 

//(  ImportDeclaration ( )  )* 

(  cs  =  TypeDeclaration (gamma)  )* 
<EOF> 

{return  cs; } 

1 


void  PackageDeclaration ( )  : 

{} 

{ 

"package"  Name ( )  " ; " 

) 

void  ImportDeclaration { )  : 

{} 

{ 


"import"  Name{)  [  "." 

) 


Triple  TypeDeclaration (Gamma  gamma)  : 

{Triple  cs  =  null;) 

{ 

(LOOKAHEAD(  (  "abstract"  |  "final"  |  "public"  )*  "class"  ) 
CS  =  ClassDeclaration (gamma) 

I 

Interf aceDeclaration (gamma) 

I 

";") 

(return  cs;) 

) 


/* 

*  Declaration  syntax  follows. 
*/ 
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Triple  ClassDeclaration (Gamma  gamma)  : 

{ 

Triple  cs  =  null; 

Dual  d  =  new  Dual (cs , gamma) ; 

) 

{ 

(  "abstract"  |  "final"  |  "public"  )* 

"class"  <IDENTIFIER>  [  "extends"  Name ( )  ]  [  "implements"  Namelist ( )  ] 

"{"  (  d  =  ClassBodyDeclaration (d. gamma)  )* 

{ 

if  (d  !=  null) { 
j  return  d.cs; 

else{ 

return  cs; 

)//end  if 

} 

) 

Dual  ClassBodyDeclaration (Gamma  gamma)  : 

{ 

Triple  cs  =  null; 

Dual  d  =  null; 


( 

/* 

LOOKAHEAD (2) 
Staticinitializer ( ) 


*/ 

LOOKAHEAD (  [  "public"  |  "protected"  |  "private"  ]  Name()  "("  ) 
cs  =  ConstructorDeclaration (gamma ) 

{d  =  new  Dual (cs,  gamma) ; } 

I 

LOOKAHEAD (  MethodDeclarationLookahead ( )  ) 
d  =  MethodDeclaration (gamma) 

I 

d  =  FieldDeclaration (gamma)  ) 

{ 

System. out. println( "Constraint  set:  "  +  d.cs); 
System.out.println( "Gamma:  "  +  d. gamma) ; 
return  d; 

} 

1 

//  This  production  is  to  determine  lookahead  only, 
void  MethodDeclarationLookahead ( )  : 

{} 

{ 

(  "public"  I  "protected"  |  "private"  i  "static"  |  "abstract"  | 
"final"  I  "native"  |  "synchronized"  )* 

ResultType ( )  <IDENTIFIER>  " ( " 

) 
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void  InterfaceDeclaration (Gairana  gamma)  : 

{Triple  cs  =  null;} 

{ 

(  "abstract"  |  "public"  )* 

^’interface"  <IDENTIFIER>  [  "extends"  NameList{)  ] 
"{"  (  InterfaceMemberDeclaration (gamma)  )*  "}" 


void  InterfaceMemberDeclaration (Gamma  gamma)  : 

{ 

LOOKAHEAD (  MethodDeclarationLookahead ( )  ) 

MethodDeclaration (gamma) 

I 

FieldDeclaration (gamma) 

} 

Dual  FieldDeclaration (Gamma  gamma)  : 

Dual  d  =  null; 

} 

{ 

(  "public"  I  "protected"  |  "private"  |  "static"  |  "final"  I 
"transient"  1  "volatile"  )* 

TypeO  d  =  VariableDeclarator  (gamma) 

return  d; 

} 

} 

Dual  VariableDeclarator (Gamma  gamma)  ; 

Triple  cs  =  new  Triple (sg.NextSymbol (),"") ; 

String  id; 

} 

{ 

id  =  VariableDeclaratorldO  (  "="  cs  =  Variablelnitializer (gamma) 

cs  =  Default ( )  ) 

{ 

gamma  =  gamma. Append (new  Gammaltem(id, cs .getType ( ) , "var") ) ; 

Dual  d  =  new  Dual(cs,  gamma); 
return  d; 

1 

} 

Triple  Default ()  : 

{} 

{ 

(return  new  Triple (sg.NextSymbol () , 
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string  VariableDeclaratorld ( )  : 

{ String  id; } 

{ 

<IDENTIFIER> 

{id  =  token. image; } 

//  (  "["  )* 

{ return  id; } 

} 

Triple  Variablelnitializer (Gamma  gamma)  : 

{Triple  cs  =  null;} 

{ 

/* 

’’{"  [  Variablelnitializer 0  (  L00KAHEAD{2)  Variablelnitializer { ) 
)*  ]  [  ]  "}" 

I 

*/ 

cs  =  Expression (gamma) 

{return  cs; } 

} 

Dual  MethodDeclaration (Gamma  gamma)  ; 

{ 

Triple  cs  =  null; 

Dual  d  =  new  Dual (cs, gamma ) ; 

Gamma  temp ; 

Gamma  param  =  new  Gamma ( "param" )  ; 

) 

{ 

{  "public"  I  "protected"  |  "private"  |  "static"  |  "abstract"  | 
"final"  I  "native"  |  "synchronized"  )* 

ResultType ( ) 

temp  =  MethO(dDeclarator  (gamma,  d) 

{ 

while ( ! (temp.isEmptyO ) ) { 

Gammaltem  gi  =  (Gammaltem)  temp .  getFromList  ( )  ; 
gamma  =  gamma.Append(gi) ; 
param  =  param.  Append  (gi )  ; 
temp  =  temp.  removeFromList  ( )  ; 

}//end  while 

} 

[  "throws"  NameListO  ] 

(  cs  =  Block (gamma)  |  ) 

{ 

Gammaltem  GI  =  new  Gammaltem (d. id,  cs  .getType  ( ) ,  "proc") ; 

GI .  setParam  (param)  ; 

d. gamma  =  d. gamma  .Append (GI)  ; 

return  new  Dual ( cs, d. gamma)  ; 

} 
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Gamma  MethodDeclara tor  (Gamma  gamma.  Dual  d)  : 
{String  id;} 

{ 

<IDENTIFIER>  {id  =  token . image; } 
gamma  =  FormalParameters  ( )  (  **]  **  )* 

{ 

d. id  =  id; 
return  gamma; 

} 


Gamma  FormalParameters ( )  : 

{Gamma  temp  =  new  Gamma  ( "temp" ); } 

{ 

"("  [  temp  =  FormalParameter (temp)  {  temp  =  FormalParameter (temp) 

)*  ]  ")" 

{return  temp;} 

} 

Gamma  FormalParameter (Gamma  gamma)  : 

{ String  id; } 

{ 

Type ( )  id  =  VariableDeclaratorld ( ) 

{ 

gamma  =  gamma. Append (new  Gammaltem(id,  sg.NextSymbol ( ) , "var") ) ; 
return  gamma; 

} 


Triple  ConstructorDeclaration (Gamma  gamma)  : 

(Triple  cs  =  null;) 

{ 

[  "public"  I  "protected"  |  "private"  ] 

<IDENTIFIER>  gamma  =  FormalParameters ( )  [  "throws"  NameListO  ] 

//[  LOOKAHEAD (2)  ExplicitConstructorInvocation ( )  ] 

(  cs  =  BlocJiStatement  (gamma)  )*  "}" 

{ return  cs; ) 

} 

/* 

void  ExplicitConstructorInvocation ( )  : 

{} 

{ 

"this"  Arguments  0  ";" 

I 

"super"  Arguments ( )  " ; " 

) 
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void  Staticinitializer 0  : 

{} 

{ 

"static"  BlockO) 

} 

V 

/* 

*  Type,  name  and  expression  syntax  follows. 
*/ 

void  Type ( )  : 

{}  ' 

{ 

(  PrimitiveTypeO  |  Name  ( )  )  (  "["  "]  "  )* 

) 

void  PrimitiveType ( )  : 

{} 

{ 

"boolean" 

I 

"char" 

I 

"byte" 

I 

"short" 

I 

"int" 

I 

"long" 

I 

"float" 

I 

"double" 

} 

void  ResultType { )  : 

{} 

{ 

"void" 

1 

Typed 

} 
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string  Name ( )  : 

/* 

*  A  lookahead  of  2  is  required  below  since  "Name”  can  be  followed 
*^by  a  when  used  in  the  context  of  an  "ImportDeclaration" . 

{ String  id; } 

{ 

<IDENTIFIER> 

{id  =  token. image; } 

//  (  LOOKAHEAD (2)  <IDENTIFIER>  )* 

{ return  id; ) 


void  NameList()  : 

{} 

{ 

Name  ( ) 

(  "  NameO 

)* 


/* 

*  Expression  syntax  follows. 
*/ 


Triple  Expression (Gamma  gamma)  : 

{Triple  cs;} 

{ 

{  LOOKAHEAD {  PrimaryExpression (gamma)  AssignmentOperator ( )  ) 
cs  =  Assignment (gamma) 

I 

cs  =  ConditionalOrExpression (gamma)  ) 

{ return  cs; } 
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Triple  Assignment  (Gamma  gamma)  : 

{ 

String  id; 

Triple  cs; 


{ 

id  =  PrimaryLeftExpression ( )  AssignmentOperator ( )  cs  = 
Expression (gamma) 

{ 

Gammaltem  item  =  gamma .  FindType  (id)  ; 
if (item  !=  null) { 

String  mod  =  item. getModif ier ( ) ; 

if (mod. equals ( ”var”)  | |  mod. equals ( "acc" ) ) { 

String  tau  =  item. getType ( ) ; 

String  tauPrime  =  cs . getType () ; 

String  alpha  =  sg. NextSymbol ( ) ; 

Constraintitem  cil  =  new  Constraintitem (tau, tauPrime) ; 
Constraintitem  ci2  =  new  Constraintitem (tauPrime, tau) ; 
Constraintitem  ci3  =  new  Constraintitem (alpha, tauPrime) 
cs  =  cs .Append (cil)  ; 
cs  =  cs .Append ( ci2 ) ; 
cs  =  cs.Append(ci3); 
cs . setModifier ( "cmd")  ; 
cs . setType ( alpha ) ; 

} 

else{ 

System,  err. println ("Secure  Parse  failed"); 

System. exit (0) ; 

}//end  if 

} 

else  { 

System. out .println ( "Unrecognized  variable  "  +  id); 
System. exit (0) ; 

}//end  if 
return  cs; 


} 

void  AssignmentOperator ( )  : 

{} 

{ 

"="  I  "*="  I  "/="  I  I  1  "-=»  I  »«="  I  ”»="  I  "»> 

j  I  It  I  _ll 

} 

/* 

void  ConditionalExpression ( )  : 

{} 

{ 

ConditionalOrExpression ( )  [  "?"  Expression () 

ConditionalExpression ( )  ] 

} 

*/ 
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Triple  ConditionalOrExpression (Gamma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null;} 

{ 

csl  =  ConditionalAndExpression (gamma)  (  "| |"  cs2  = 
ConditionalAndExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl.getType () ; 

String  tau2  =  cs2 . getType ( ) ; 

Constraintitem  cil  =  new  ConstraintItem(taul, tau2) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2, taul) ; 
csl  =  csl .Union (cs2) .Append (cil) .Append (ci2 ) ; 

} 

1 

)  * 

{ return  csl; } 


Triple  ConditionalAndExpression (Gamma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null; 

} 

{ 

csl  =  InclusiveOrExpression (gamma)  (  "&&"  cs2  = 
InclusiveOrExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  ConstraintItem(taul,tau2) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2, taul) ; 
csl  =  csl .Union (cs2) .Append (cil) .Append (ci2 ) ; 

} 

} 

)* 

(return  csl;} 


48 


Triple  Indus! veOrExpression  (Gainma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null; 


{ 

csl  =  ExclusiveOrExpression (gamma)  (  "1"  cs2  = 
ExclusiveOrExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType ( ) ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  Constraintitem ( taul^ tau2 ) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2, taul) ; 
csl  =  csl. Union (cs2) .Append (cil) .Append (ci2) ; 

} 

} 

)* 

{ return  csl ; } 


Triple  ExclusiveOrExpression ( Gamma  gamma)  : 

Triple  csl; 

Triple  cs2  =  null; 

} 

{ 

csl  =  AndExpression(gamma)  (  cs2  =  AndExpression  (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  ConstraintItem(taul, tau2 ) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2, taul) ; 
csl  =  csl.Union(cs2) .Append(cil) .Append(ci2) ; 

} 

} 

)* 

{return  csl;} 
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Triple  AndExpression (Gamma  gamma)  ; 

{ 

Triple  csl; 

Triple  cs2  =  null; 

] 

{ 

csl  =  EqualityExpression (gamma)  (  cs2  =  EqualityExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl.getType ( ) ; 

String  tau2  =  cs2 . getType ( ) ; 

Constraintitem  cil  =  new  ConstraintItem(taul,tau2) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2,taul) ; 
csl  =  csl.Union(cs2) .Append(cil) .Append(ci2) ; 

} 

} 

)  * 

{return  csl;} 


Triple  EqualityExpression (Gamma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null; 

) 

{ 

csl  =  RelationalExpression (gamma)  (  (  "=="  |  ”!="  )  cs2  = 
RelationalExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType  () ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  ConstraintItem(taul,tau2) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2, taul) ; 
csl  =  csl .Union (cs2) .Append (cil) .Append (ci2) ; 

} 

} 

)* 

{return  csl;} 


/* 

void  InstanceOf Expression ( )  : 

{} 

{ 

RelationalExpression 0  {  "instanceof"  Type()  ] 

) 

*/ 
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Triple  RelationalExpression (Gamma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null; 

} 

{ 

csl  =  ShiftExpression (gamma)  (  (  "<"  |  ">”  |  "<="  |  ">z="  )  cs2 
ShiftExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType ( ) ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  ConstraintItem(taul, tau2) ; 
Constraintitem  ci2  =  new  Constraintitem (tau2, taul) ; 
csl  =  csl.Union(cs2) .Append(cil) .Append(ci2) ; 

} 

} 

)* 

{return  csl;} 


Triple  ShiftExpression (Gamma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null; 

} 

{ 

csl  =  AdditiveExpression  (gamma)  (  (  "«"  |  "»"  |  "»>"  )  cs2 
AdditiveExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  ConstraintItem(taul, tau2) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2, taul) ; 
csl  =  cs 1. Uni on (cs2) .Append (cil) .Append (ci2) ; 

) 

} 

)* 

(return  csl;} 
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Triple  AdditiveExpression (Gamma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null; 

) 

{ 

csl  =  MultiplicativeExpression (gamma)  (  (  "+"  |  )  cs2  = 

MultiplicativeExpression (gamma) 

{ 

if (cs2  ! =  null ) { 

String  taul  =  csl . getType ( ) ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  ConstraintItem(taul,tau2) ; 
Constraintitem  ci2  =  new  Constraintitem (tau2, taul) ; 
csl  =  csl.Union(cs2) .Append(cil) .Append(ci2) ; 

} 

}  )* 

{ 

return  csl; 

} 


Triple  MultiplicativeExpression (Gamma  gamma)  : 

Triple  csl; 

Triple  cs2  =  null; 

} 

{ 

csl  =  UnaryExpression (gamma)  (  (  |  "/"  |  )  cs2  = 

UnaryExpression (gamma) 

{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType ( ) ; 

Constraintitem  cil  =  new  Constraintitem (taul, tau2 ) ; 
Constraintitem  ci2  =  new  ConstraintItem(tau2,taul) ; 
csl  =  csl.Union(cs2) .Append(cil) .Append(ci2) ; 

} 

}  )* 

{ 

return  csl; 

) 
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Triple  UnaryExpression (Gamma  gamma)  : 

{Triple  cs;) 

{ 

((  "+"  I  )  cs  =  UnaryExpression (gamma) 

I 

/* 

PreIncrementExpression ( ) 

I 

PreDecrementExpression ( ) 

I 

*/ 

cs  =  UnaryExpressionNotPlusMinus (gamma)  ) 

{ return  cs; } 

} 

/* 

void  PreIncrementExpression ( )  : 

{} 

{ 

"++"  PrimaryExpression ( ) 

) 


void  PreDecrementExpression ( )  : 

{} 

{ 

" — ”  PrimaryExpression ( ) 

} 

*/ 


Triple  UnaryExpressionNotPlusMinus (Gamma  gamma) 
(Triple  cs;) 

{ 

((  I  nil.  )  ^3  =  UnaryExpression  (gamma) 

I 

/* 

LOOKAHEAD (  CastLookahead ( )  ) 

CastExpression ( ) 

I 

*/ 

cs  =  PostfixExpression (gamma)  ) 

{ return  cs; } 

) 
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/* 

/ /  This  production  is  to  determine  lookahead  only.  The  LOOPCAHEAD 
//  specifications  below  are  not  used,  but  they  are  there  just  to 
//  indicate  that  we  know  about  this, 
void  CastLookahead ( )  : 

{} 

{ 

LOOKAHEAD (2) 

II  ^  II  primitiveType  ( ) 

I 

LOOKAHEAD ( " ( "  Name ( )  " [ " ) 

"("  NameO  "[" 

I 

"{"  NameO  ")"  (  I  "!"  |  "("  I  <IDENTIFIER>  |  "this"  |  "super" 

"new"  I  Literal ( )  ) 

} 

*/ 

Triple  PostfixExpression (Gamma  gamma)  : 

{Triple  cs;} 

{ 

cs  =  PrimaryExpression (gamma)  //[  "++"  |  " — "  ] 

{return  cs;} 

} 

/* 

void  CastExpression ( )  : 

{} 

{ 

(LOOKAHEAD (2) 

"("  PrimitiveType ( )  (  "] "  )*  ")"  UnaryExpression ( ) 

I 

"("  Name  ( )  (  "] "  )*  ")"  UnaryExpressionNotPlusMinus ( )  ) 

) 

*/ 


Triple  PrimaryExpression (Gamma  gamma)  : 

{Triple  cs  =  null;) 

{ 

cs  =  PrimaryPrefix (gamma)  // (  PrimarySuf fix (gamma)  )* 
(return  cs; ) 

} 
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Triple  PrimaryPrefix (Gamma  gamma)  : 

{ 

Triple  cs  =  null; 

Triple  csl  =  null; 

Triple  cs2  =  null; 

String  id  =  null; 

Gamma  temp  =  null; 

} 

{ 

( cs  =  Literal ( ) 

I 

[”this"  id  =  NameO 

{ 

Gammaltem  item  =  gamma .  FindType  (id)  ; 
if (item  !=  null) { 

String  mod  =  item. getModifier ( ) ; 
if (mod. equals ("var")  | |  mod. equals ("")){ 

String  tau  =  item.  getType ( ) ; 

String  alpha  =  sg.NextSymbol ( ) ; 

Constraintitem  cil  =  new  ConstraintItem(tau^ alpha) ; 
cs  =  new  Triple (cil, alpha, "") ; 

} 

else  if (mod. equals ( "proc" )) { 
temp  =  item. getParam( ) ; 

} 

else  { 

System. err .println( "Secure  Parse  failed") ; 

System. exit ( 0) ; 

}//end  if 

} 

else  { 

System,  out  .println  ( "Undefined  variable:  ”  H-  id); 

//  System. exit (0) ; 

temp  =  new  Gamma  (  "temp" )  .Append  (new  Gammaltem ("",  sg,  ""))  ; 
}//end  if 

} 

[  "("  [  csl  =  PrimaryPrefix (gamma) 

{ 

//create  constraint  type (csl)  =  type(param) 

String  tauPrime  =  csl . getType () ; 

String  taul  =  ( (Gammaltem) temp . get FromList ()). getType () ; 
temp . removeFromList ( ) ; 

Constraintitem  cil  =  new  ConstraintItem(taul, tauPrime) ; 
Constraintitem  ci2  =  new  ConstraintItem(tauPrime, taul ) ; 

//add  constraint  to  csl 

csl  =  csl .Append (cil) .Append (ci2 ) ; 

cs  =  csl; 

} 

(  "  cs2  =  PrimaryPrefix (gamma) 

{ 

//create  constraint  type(cs2)  =  type (param) 

String  tauDoublePrime  =  cs2 . getType () ; 

String  tau2  =  ( (Gammaltem) temp . getFromList ( ) ) . getType ( ) ; 

temp . removeFromList ( ) ; 

Constraintitem  ci3  =  new  Constraintitem (tau2 , tauDoublePrime) 
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Constraintitem  ci4  =  new  ConstraintItem(tauDoublePrime, tau2) ; 

//csl  Union  cs2 
csl  =  csl . Union (cs2) ; 

//add  constraint  to  csl 

csl  =  csl .Append (ci3) .Append (ci4) ; 

cs  =  csl; 

} 

)*  ]  ")  "  ] 


"this" 


"super"  <IDENTIFIER> 

*/ 


"("  cs  -  Expression (gairara)  ")  " 

/* 


AllocationExpression ( ) 

*/ 

) 

{  return  cs ; ) 

} 

/* 

Triple  PrimarySuf fix ( )  : 

{  } 


Expression  0  "] " 
<IDENTIFIER> 
Arguments ( ) 


*/ 

String  PrimaryLeftExpression ( )  : 

{} 

{ 

[  "("  ][  "this"  "."  ]  NameO  [  ")"  ] 
{ return  token . image ; } 

} 
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Triple  Literal ()  : 

{} 

{ 

(  <INTEGER_LITERAL> 

I 

<FLOATING_POINT_LITERAL> 

i 

<CHARACTER_LITERAL> 

I 

<STRING_LITERAL> 

I 

BooleanLiteral ( ) 

I 

NullLiteral ( )  ) 

{return  new  Triple (sg.NextSymbol (),""); } 

} 

void  BooleanLiteral { )  : 

{} 

{ 

"true" 

I 

"false" 

} 

void  NullLiteral ( )  : 

{} 

{ 

"null” 

} 

/* 

void  Arguments ( )  : 

{} 

{ 

"("  [  ArgumentListO  ]  ")" 

} 

Triple  ArgumentList  (Gamma  gamma)  : 

{} 

{ 

Expression 0  (  Expression ()  )* 

} 
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void  AllocationExpression ( )  : 

{) 


{ 

LOOKAHEAD (2) 

"new"  PrimitiveType { )  ArrayDimensions ( ) 

I 

"new"  Name ( )  (  Arguments ( )  |  ArrayDimensions ( )  ) 


/  The  second  LOOKAHEAD  specification  helow  is  to  parse 
*  PrimarySuffixif  there  is  an  expression  between  the  " 
/* 

void  ArrayDimensions ( )  : 

{} 

{ 

{  LOOKAHEAD (2)  "["  Expression ()  "] "  )+  (  LOOKAHEAD (2) 


to 

[...] 


II  r  II 


*/ 


/* 

*  statement  syntax  follows. 

*/ 

Triple  Statement (Gamma  gamma)  : 
{Triple  cs  =  null;) 

{ 

(LOOKAHEAD (2) 

/* 

LabeledStatement ( ) 

I 

*/ 

cs  =  Block (gamma) 

I 

cs  =  EmptyStatement (gamma) 

I 

cs  =  StatementExpression (gamma) 

I 

/* 

SwitchStatement ( ) 

I 

*/ 

cs  =  If Statement (gamma) 

I 

cs  =  WhileStatement (gamma) 

I 

cs  =  Do Statement (gamma) 

/* 

I 

ForStatement ( ) 

I 

BreakStatement ( ) 

I 

ContinueStatement ( ) 

I 

ReturnStatement ( ) 
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Throws tatement ( ) 


SynchronizedStatement ( ) 
I 

TryStatement ( ) 

*/ 


{return  cs;} 

) 

/* 

void  LabeledStatement 0  : 

{} 

{ 

<IDENTIFIER>  Statement ( ) 

} 

*/ 

Triple  Block (Gamma  gamma)  : 

{Triple  cs;} 

{ 

"{"  cs  =  BlockStatementList (gamma)  "}" 

{return  cs; } 

} 

Triple  BlockStatementList (Gamma  gamma)  : 

{ 

Triple  csl  =  null; 

Triple  cs2; 

} 

{ 

(  LOOKAHEAD (2)  cs2  =  BlockStatement (gamma) 

{ 

if (cs2  !=  null) { 
if (csl  ==  null) { 
csl  =  cs2; 

) 

else{ 

String  taul  =  csl . getType ( ) ; 

String  tau2  =  cs2 . getType () ; 

Constraintitem  cil  =  new  ConstraintItem(taul, tau2 ) 
Constraintitem  ci2  =  new  ConstraintItem(tau2 , taul ) 
csl  =  csl.Union(cs2) ; 
csl  =  csl .Append (cil)  ; 
csl  =  csl. Append ( ci2 ) ; 

}//end  if 
}//end  if 

} 

)  * 

{return  csl;} 

} 
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Triple  BlockStatement (Gamma  gamma)  : 
{Triple  cs;} 

{ 

(LOOKAHEAD (Type  0  <IDENTIFIER>) 
cs  =  LetvarStatement (gamma ) 

I 

cs  =  Statement (gamma) ) 

(return  cs;} 


Triple  LetvarStatement  (Gamma  gamma)  : 

{ 

Dual  d; 

Triple  cs  =  null; 


d  =  LocalVariableDeclaration (gamma) 

{ gamma  =  d . gamma ; } 

cs  =  Blocks tatementList (gamma) 

{ 

if (cs  !=  null) { 
cs .Union (d. cs) ; 
cs . setModif ier ( "cmd" ) ; 

} 

else  { 

cs  =  d.cs; 

} 

return  cs; 

} 

} 

Dual  LocalVariableDeclaration (Gamma  gamma)  : 
(Dual  d; } 

{ 

Type ( ) 

d  =  VariableDeclarator (gamma) 

(  VariableDeclarator (gamma)  )* 

(return  d; ) 

} 

Triple  EmptyStatement (Gamma  gamma)  : 

{} 

{ 

11  .  IT 
t 

{return  new  Triple  (sg.NextSynnbol  (),  "cmd") ; } 

} 
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Triple  StatementExpression (Gamma  gamma)  : 

/* 

*  The  last  expansion  of  this  production  accepts  more  than  the  legal 

*  Java  expansions  for  StatementExpression. 

*/ 

{Triple  cs;} 

{ 

(  LOOKAHEAD  (  PrimaryExpression (gamma)  AssignmentOperator (gamma)  ) 
cs  =  Assignment (gamma) 

I 

cs  =  PostfixExpression (gamma)  ) 

(return  cs;} 


/* 

void  SwitchStatement ( )  : 

{} 

{ 

"switch"  "("  Expression 0  ")" 

(  SwitchLabel ( )  (  BlockStatement ( )  )*  )* 

»l  j,  ?i 


void  SwitchLabel ( )  : 

{} 

{ 

"case"  Expression  0 

I 

"default"  " : " 

} 

*/ 


61 


Triple  If Statement (Gamma  gamma)  : 

/* 

The  disambiguating  algorithm  of  JavaCC  automatically  binds  dangling 

*  else's  to  the  innermost  if  statement.  The  LOOKAHEAD  specification 

*  is  to  tell  JavaCC  that  we  know  what  we  are  doing. 

*/ 

{ 

Triple  cs; 

Triple  csl; 

Triple  cs2  =  null; 

1 

{ 

"if"  "("  cs  =  Expression (gamma)  ")" 
csl  =  Statement (gamma) 

[  LOOKAHEAD(l)  "else"  cs2  =  Statement (gamma)  ] 

{ 

String  tau  =  cs . getType ( ) ; 

String  taul  =  csl . getType () ; 

String  alpha  =  sg . NextSymbol ( ) ; 

Constraintitem  cil  =  new  ConstraintItem(tau, taul ) ; 

Constraintitem  ci2  =  new  ConstraintItem(taul, tau) ; 

Constraintitem  ci3  =  new  ConstraintItem(alpha, tau) ; 
cs  =  cs. Union (csl) .Append (cil) .Append (ci2) .Append (ci3) ; 
cs . setType ( alpha ) ; 
cs.setModifier ("cmd") ; 
if (cs2  !=  null) { 

String  tau2  =  cs2 . getType () ; 

Constraintitem  ci4  =  new  ConstraintItem(tau,tau2) ; 

Constraintitem  ci5  =  new  ConstraintItem(tau2, tau) ; 

Constraintitem  ci6  =  new  ConstraintItem(taul,tau2) ; 
Constraintitem  ci7  =  new  ConstraintItem(tau2, taul) ; 
cs  = 

cs. Union (cs2) .Append (ci4) .Append (ci5) . Append (ci 6) .Append (ci7) ; 

}//end  if 
return  cs; 

} 

} 
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Triple  WhileStatement  (Gaitima  gamma)  : 

{ 

Triple  csl  =  null; 

Triple  cs2  =  null; 


"while"  "{"  csl  =  Expression (gamma)  ")"  cs2  =  Statement (gamma) 

String  tau  =  csl . getType ( ) ; 

String  tauPrime  =  cs2 . getType ( ) ; 

String  alpha  =  sg.NextSymbol ( ) ; 

Constraintitem  cil  =  new  Constraintitem (tau, tauPrime) ; 

Constraintitem  ci2  =  new  ConstraintItem(tauPrime, tau) ; 

Constraintitem  ci3  =  new  ConstraintItem(alpha, tau) ; 

csl  =  csl.Union(cs2) .Append(cil) .Append(ci2) .Append(ci3) ; 

csl. setType (alpha) ; 

csl . setModifier ( "cmd") ; 

return  csl; 

} 

} 

Triple  DoStatement (Gamma  gamma)  : 

{ 

Triple  csl  =  null; 

Triple  cs2  =  null; 

} 

{ 

"do"  cs2  =  Statement (gamma)  "while"  "("  csl  =  Expression (gamma)  ")" 

II  ,  II  ^ 

r 

{ 

string  tau  =  csl . getType () ; 

String  tauPrime  =  cs2 . getType () ; 

String  alpha  =  sg.NextSymbol () ; 

Constraintitem  cil  =  new  ConstraintItem(tau, tauPrime) ; 

Constraintitem  ci2  =  new  Constraintitem (tauPrime, tau) ; 

Constraintitem  ci3  =  new  Constraintitem (alpha, tau) ; 

csl  =  cs 1. Union (cs2) .Append(cil) .Append(ci2) .Append(ci3)  ; 

csl . setType (alpha) ; 

csl . setModifier ( "cmd") ; 

return  csl; 

} 


/* 

void  ForStatement ( )  ; 

{} 

{ 

"for"  "("  [  ForInitO  ] 

[  Expression  0  ]  ";" 
[  ForUpdate  ( )  ]  " ) " 
Statement ( ) 

1 
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void  ForInitO  : 

{} 

{ 

LOOKAHEAD {  Type ( )  <IDENTIFIER>  ) 
LocalVariableDeclaration ( ) 

I 

StatementExpressionList { ) 

) 

void  StatementExpressionList 0  : 

{} 

StatementExpression { )  (  StatementExpression ( )  )* 

} 


void  ForUpdate ( )  : 

{} 

{ 

StatementExpressionList ( ) 

) 

void  BreakStatement ( )  : 

{} 

{ 


"break"  [  <IDENTIFIER>  ] 

) 

void  ContinueStatement ( )  : 

{} 

{ 


"continue"  [  <IDENTIFIER>  ] 

} 

void  ReturnStatement ( )  ; 

{} 

{ 

"return"  [  Expression ()  ] 

) 

void  ThrowStatement ( )  : 

{} 

{ 


"throw"  Expression!) 

) 

void  SynchronizedStatement { )  : 

{) 


"synchronized"  "("  Expression!)  ")"  Block!) 

) 
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void  TryStatement ( )  : 

{} 

{ 

"try"  Block  0 

{  "catch"  "("  FormalParameter ( )  ")"  Block { )  ) 
[■"finally"  Block ( )  ] 
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APPENDIX  B  -  STATIC  ANALYZER  SOURCE  CODE 
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//***:t*  +  ^Tt  +  +  ***  +  +  -A-***  +  *  +  +  +  ****rAr*****  +  *-*r  +  *****  +  **  +  *  +  Vk-***  +  **  **  +  *★★  ★★*★*** 

//  File:  Gamma. java 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
//  analyzer.  Basically  a  linked  list. 

package  thesis; 

import  java.io.*; 

public  class  Gamma 

{ 

protected  Object  ob j ; 
protected  Gamma  next; 
protected  Gamma  rear  =  null; 
public  String  name; 

public  Gamma  (String  name) 

{ 

this.obj  =  null; 
this. next  =  this; 
this. name  =  name; 

if (rear  ==  null) 
rear  =  this; 

} 

private  Gamma ( ) 

{ 

this.obj  =  null; 
this. next  =  this; 

} 


public  Object  getFromList ( ) 

{ 

return  this.obj; 

1 

public  Gamma  removeFromList { ) 

{ 

return  this. next; 

} 

public  synchronized  boolean  isEmptyO 

{ 

if (this  ==  rear) 
return  true; 
else 

return  false; 
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public  Gamma  Append  (Gammal tern  gi) 

{ 

Gamma  g  =  new  Gamma  ( ) ; 
g.obj  =  gi; 
g.next  =  this; 
return  g; 


public  Garamaltem  FindType (String  name) 

{ 

Gammal tern  temp  =  null; 

Gamma  list  =  this; 
boolean  matchFound  =  false; 

do  { 

ifdist.obj  =-  null) 
return  null; 

String  item  =  ( (Gammal tern) list . obj ) .Name; 

if (item. equals (name) ) { 

temp  =  (Gammaltem) list. obj; 
matchFound  =  true; 

} 

else  { 

list  =  (Gamma) list . next; 

}//end  if 

} while ( ImatchFound) ; 
return  temp; 

} 


public  String  toStringO 

{ 

if (isEmpty ( ) ) 
return  ” " ; 
else 

return (this. obj  +  ””  +  this. next) ; 

} 

}//end  gamraa  class 


69 


//  File:  Gamma  I  tern,  java 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
/ /  analyzer.  It  is  an  item  to  be  placed  into  gamma.  The 

II  structure  consists  of  a  name  and  a  type.  The  type  may 

//  consist  of  1-3  fields. 

package  thesis; 

import  java.io.*; 

public  class  Gamrnaltem 

{ 

protected  String  Name; 
protected  String  Type; 
protected  String  Modifier; 
private  Gamma  param; 

public  Gamrnaltem  (String  Name,  SymbolGenerator  sg.  String  mod) 

this. Name  =  Name; 

this. Type  =  sg.NextSymbol ( ) ; 

this .Modifier  =  mod; 

} 

public  Gamrnaltem (String  Name,  String  Type,  String  mod) 

{ 

this. Name  =  Name; 
this. Type  =  Type; 
this .Modifier  =  mod; 

} 

public  void  setParam( Gamma  gamma) 

{ 

this. pa ram  -  gamma; 

} 

public  Gamma  getParamO 

{ 

return  this. param; 

} 

public  String  getName  ( ) 

{ 

return  this. Name; 

} 


public  String  getType ( ) 

{ 

return  this. Type; 

) 
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public  String  getModifier ( ) 

{ 

return  this .Modifier; 

} 

public  String  toStringO 

{ 

if {Modifier. equals ("proc") )  { 

return  ("{"+  Name  Type  +  Modifier  +"("+  param  +")"+")"); 

) 

else{ 

return  (  "("  +  Name  +  +  Type  +  Modifier  +  ")"  ); 

)//end  if 

} 

) / /end  class 
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//******************************************** 

//  File:  Triple. java 
//  Date:  24  Feb  98 
// 

/ /  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
//  analyter.  The  structure  consists  of  a  constraint  set 

//  and  a  principle  type.  The  type  may  consist  of  1-2 

//  fields. 

//*******************  *******-k*-k**-k-k*-k*ir**-k**-lr*-k***********-k**-k-k-k-k****** 
package  thesis; 


public  class  Triple 

{ 

private  LinkedList  ConstraintSet ; 
private  String  Type; 
private  String  TypeModifier; 

public  Triple ( ) 

{ 

this. Type  =  "Type"; 
this. TypeModifier  =  "mod"; 

ConstraintSet  =  new  LinkedList { "name") ; 

} 


public  Triple (Constraintitem  ci,  string  Type,  string  Modifier) 

ConstraintSet  =  new  LinkedList ("name") ; 

this. Type  =  Type; 

this. TypeModifier  =  Modifier; 

ConstraintSet  =  ConstraintSet . addToList (ci ) ; 


public  Triple (LinkedList  ConstraintSet,  String  Type, 

this. Type  =  Type; 

this. TypeModifier  =  Modifier; 

this. ConstraintSet  =  ConstraintSet; 


String  Modifier) 


public  Triple (String  Type,  String  Modifier) 

{ 

this. Type  =  Type; 

this. TypeModifier  =  Modifier; 

ConstraintSet  =  new  LinkedList ("name"); 


public  String  getType ( ) 

{ 

return  this. Type; 

) 
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public  String  getModifier { ) 

{ 

return  this . TypeModif ier ; 

} 

public  void  setModif ier (String  Modifier) 

{ 

this. TypeModif ier  =  Modifier; 

} 

public  void  setType (String  type) 

{ 

this. Type  =  type; 

} 

public  Triple  Union (Triple  setTwo) 

{ 

LinkedList  temp  =  this . ConstraintSet ; 
if ( (Constraint! tern) temp . obj  ==  null) { 

return  new  Triple  (setTwo. ConstraintSet^ this . Type, 

this . TypeModifier ) ; 

1 

/ 

while (temp. next. obj  !=  null) { 
temp  =  temp. next; 

} 

temp. next  =  setTwo. ConstraintSet; 

this. ConstraintSet. rear  =  setTwo . ConstraintSet . rear ; 

return  new  Triple (this. ConstraintSet, this .Type, this .TypeModifier) ; 


public  Triple  Append (Constraintitem  C) 

{ 


} 


return  new  Triple (this. ConstraintSet. addToList (C) ,  this. Type, 

this. TypeModif ier) ; 


public  String  toString ( ) 

{ 

return ("{"+"["+  ConstraintSet  Type  +  TypeModifier  +"}"  ); 

} 

}//end  class 


73 


//****************************** 

//  File:  Constraintitem. java 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
//  analyzer.  The  structure  consists  two  types. 

//**************************** *******^****^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
package  thesis; 


public  class  Constraintitem 

{ 

protected  String  Typel; 
protected  String  Type2; 

public  Constraintitem  (String  Typel,  String  Type2) 

this. Typel  =  Typel; 
this.Type2  =  Type2; 

1 


public  String  toStringO 

{ 

return  (  "("  +  Typel  +  +  Type2  +  ")"  ) ; 

} 
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//  File:  LinkedList . j ava 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
//  analyzer. 

package  thesis; 

public  class  LinkedList 

{ 

protected  Object  ob j ; 
protected  LinkedList  next; 
protected  LinkedList  rear  =  null; 
public  String  name; 

public  LinkedList ( String  name) 

{ 

this.obj  =  null; 
this. next  =  this; 
this. name  =  name; 

if (rear  ==  null) 
rear  =  this; 

} 

private  LinkedList  {) 

{ 

this.obj  =  null; 
this. next  =  this; 

} 

public  LinkedList  addToList (Object  o) 

{ 

LinkedList  1  =  new  LinkedList {)  ; 

1 .  ob  j  =  o; 
l.next  =  this; 
return  1; 

} 

public  Object  getFromList { ) 

{ 

return  this.obj; 

} 

public  LinkedList  removeFromList ( ) 

{ 

return  this. next; 

1 
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public  synchronized  boolean  isEmptyO 

{ 

if  (this  ==  rear) 
return  true; 
else 

return  false; 

} 

public  String  toString ( ) 

{ 

if (isEmpty { ) ) 
return 
else 

return (this. obj  +  "  ”  +  this. next); 

} 

}//end  class 
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//-k-ir-k’k^'k-k’k-k-k^'k-k-k-k'kif-k-k-k-kir-k'k'k'k-k-k^iT'k^-k-k-k'k-k'k'k-k'k'k'k'k-ir-k-^^-k-k-k-k-k-k'k'^-k’k'k'k-k-kic’k-k-k-k-k'k 

II  File:  SymbolGenetator . j ava 
//  Date:  24  Feb  98 
// 

//  Author;  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
//  analyzer.  Generates  new  type  variables 

+  +  +  +  +  +  +  +  +  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *  + 

package  thesis; 

import  java.io.*; 
import  java.lang.*; 

public  class  SymbolGenerator 

{ 

private  int  counter  =  0; 

private  static  String  TAU  =  ”tau"; 

public  synchronized  String  NextSymbolO 

{ 

String  Symbol  =  TAU  +  counter; 

counter++; 

return  Symbol; 

} 

public  static  void  main (String  []  args) 

{ 

SymbolGenerator  sg  =  new  SymbolGenerator () ; 

for(int  i  =  0;  i  <  10;  i++) { 

System. out. printlnCsg.NextSymbol () ) ; 

} 

} 

}//end  class 
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//*************  ***********-k***  **********  ****** 

II  File:  SymbolGenetator . j ava 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
//  analyzer.  A  data  structure 

f  f**************************************************^^^^^^^^^^^^^^^^^ 
package  thesis; 

public  class  Dual 

{ 

public  Triple  cs; 
public  Gamma  gamma; 
public  String  id; 

public  Dual (Triple  cs.  Gamma  gamma) 

{ 

this.cs  =  cs; 
this. gamma  =  gamma; 

} 

1 
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APPENDIX  C  -  TEST  PROGRAMS 
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//**************-k***i,-k-k-k**-tr****.)r***-lr*-),***-trir-k*****.k*********-k*iri,*-k**** 

//  File:  test. java 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 
// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
/ /  analyzer. 

//***************-)c**-k*-k-k**-k*-tr****-k*-)r*-)c-k-tr-k-k-k**-k*-lr*-k***-k-k**-k-k-k-k******** 

class  test 
{ 

public  static  void  pl(int  x,  int  y) 

{ 

y  =  x; 

} 

} 


The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 

Constraint  set;  {xs  <  xa,  X2  =  Xi,  Xo  <  X2} 

Gamma:  pi  :  xsproc  (xovar,  Xjvar) 

Results  show,  with  x:  xovar  and  y:  Xivar,  that  Xo  <  Xi.  This  is  what  we  would  expect  to 
ensure  secure  flow  since  the  program  assigns  the  value  of  x  to  y. 
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//**-k**-lr-k***-*-k*******-)r-t:***-k**-k*-k******-k**-)r-)r*-lr**-tr-k*-k-k-k-k-k****-********--k*** 
//  File:  test. java 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information  flow  static 
//  analyzer. 

//*******-k*****-k*-lr*-k-k-k**-k-k-tr-k-k*****-k-)r*****-k-k*-k-)^-Hr-k*-k*****-k-h********-k** 
class  test 
{ 

public  static  void  pl(int  x,  int  y) 

{ 

if{x  ==  0) 
y  =  0; 
else 

y  =  1; 

} 

} 


The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 

Constraint  set:  {17  =  15,  x?  =  X2,  Xg  <  X2,  X5  =  X2,  X3  =  X2, 

To  <  X2,  X5  <  X4,  X4  =  Xi,  X7  <  X6,  X6  =  Xi  } 

Gamma:  pi  :  xgproc  (xovar,  xivar) 
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Z/***********************************************^^^^^^^^^^ 
//  File:  test. java 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

/ /  Purpose:  Developed  as  part  of  a  secure  information 
//  flow  static  analyzer. 

//*************-ir-kir**-tr-)r-k-)r***-l,****-k*-lc-k-)r-k-ir**-h-k****-k***-)r*-lr->r-k**-k 

class  test 

{ 

public  static  void  pl(int  x,  int  y) 

{ 

int  a  =  x; 
int  b  =  0; 
while  (a  >  0) { 
b  =  b  +  l; 
a  =  a'  -  1; 

} 

y  =  b; 

} 

) 


The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 

Constraint  set:  {xm  =  Xn,  Xi2<  T4,  Xs  =  X4,  X5  =  X4,  X2  <  X4,  Xu  =  Xg, 
tg  <  X6,  X6  =  X3,  X?  =  X6,  X3  <  X6,  Xii  <  X9,  X9  =  X2, 

Xio  =  X9,  X2  <  X9,  Xi4  <  Xi3,  Xi  =  Xi3,  X3  <  Xi3,  Xq  <  X2} 

Gamma  =  p  1 :  Xn  proc(xovar,  xi var) 

A  partial  trace  of  the  analysis  of  this  program  is  shown  in  Chapter  VI. 
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//******************************************************** 
//  File:  test. java 
//  Date:  24  Feb  98 
// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:  Developed  as  part  of  a  secure  information 
//  flow  static  analyzer. 

//**********  +  *****  +  ****************************^**^^^j.^^^j^ 

class  test 

{ 

public  static  void  pl(int  x,  int  y) 

{ 

int  a  =  x; 
int  b  =  0; 
while  (a  >  0) { 
b=b+l; 
a  =  a  -  1; 

) 

y  =  b; 

} 

public  static  void  p2(int  a,  int  b) 

{ 

a=a+4; 
b  =  b  +  2; 

if (a  >  b) { 
pi  (b,a) ; 

}else{ 

pi (a,b) ; 

} 

b  =  a  +  b; 

} 

public  static  void  main ( ) 

{ 

int  s  =  1; 
int  t  =  8 ; 
do  { 

p2 (2,t) ; 
t  =  t  -  1; 

} while (t  >  3) ; 

} 

} 
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The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 

1 .  The  First  procedure,  p  1 ,  produces: 

Constraint  set:  (th  =  Xn,  I12  <  X4,  Xe  =  X4,  X5  =  X4,  X2  <  X4,  X9  =  Xe, 

Xg  <  X6,  X6  =  X3,  X?  =  Xe,  X3  <  X6,  X\  1  <  X9,  X9  =  X2, 

Xio  =  X9,  X2  <  X9,  Xi4  <  Xi3,  Xi3  =  Xi,  X3  <  Xi3,  Xq  <  X2  } 
Gamma:  pi:  Xi2proc  (xovar,  xivar) 

2.  The  second  procedure,  p2,  produces: 

Constraint  set:  { X30  =  X17,  X29  =  Xjy,  X20  =  Xn,  X19  <  Xn,  X17  =  T15, 

X18  =  Xi7,  Xi5  <  Xi7,  X22  <  X20,  X20  =  X16,  X21  =  X20, 

X16  <  X20,  X27  =  X25,  X27  =  X23,  X29  <  X23,  X25  =  X23, 

X24  =  X23,  Xi5  <  X23,  X16  <  X24,  X26  =  Xo,  X25  =  Xo, 

X16  <  X25,  Xi5  <  X26,  X28  =  Xo,  X27  =  Xo,  X15  <  T27,  X16  <  X28, 
X32  <  X30,  X30  =  X16,  X31  =  X30,  Xi5  <  X30,  X16  <  X31  } 

Gamma:  p2  :  xnproc  (xisvar,  Xievar) , 

pi  :  xi2proc  (xovar,  xivar) 


3.  The  third  procedure,  main,  produces: 

Constraint  set:  {X42  <  X40,  X35  =  X40,  X41  =  X40,  X34  <  X40, 
X37  =  X35,  X36  =  Xi5,  X35  =  Xi5,  X34  <  X36, 
X39  <  X37,  X37  =  X34,  X38  =  X37,  X34  <  X37  } 

Gamma:  main  :  X42proc  ( ) , 

p2  :  Xi7  proc  ( a :  Xi5var,  b :  Xievar), 
pi  :  Xi2proc  (x :  xovar,  y :  Xivar) 

4.  Gamma  is  updated  with  each  procedure. 
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